From kevross33 at googlemail.com Sun Nov 1 11:39:53 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Sun, 1 Nov 2009 16:39:53 +0000 Subject: [Emerging-Sigs] SIG:Mambo Cache_Lite Class mosConfig_absolute_path RFI Message-ID: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APP Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F\x2F/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/29716/info; reference:url, downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; sid:15000001; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091101/e6f434a4/attachment-0001.html From emerging at emergingthreats.net Sun Nov 1 16:00:13 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 1 Nov 2009 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091101210013.85D614502F@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Nov 1 16:00:13 2009 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From wolvee.x at gmail.com Mon Nov 2 00:43:22 2009 From: wolvee.x at gmail.com (Wolvee) Date: Mon, 02 Nov 2009 11:13:22 +0530 Subject: [Emerging-Sigs] updated sig Message-ID: <4AEE717A.6070006@googlemail.com> In content:"GWComposeCtl.SetFontFace"; GWComposeCtl is object name. it is variable. Updated sig: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; distance:0; content:"SetFontFace"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Novell; sid:2009923; rev:5;) From kevross33 at googlemail.com Mon Nov 2 07:43:01 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 2 Nov 2009 12:43:01 +0000 Subject: [Emerging-Sigs] SIG:Cherokee Web Server GET AUX DOS Message-ID: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; classtype:attempted-dos; reference:url, securitytracker.com/alerts/2009/Oct/1023095.html; reference:url, www.securityfocus.com/bid/36814/info; reference:url, www.securityfocus.com/archive/1/507456; sid:1100001; rev:1;) Simple sig for this. Comments anyone? Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/325a4a28/attachment.html From jason.weir at nhrs.org Mon Nov 2 08:54:59 2009 From: jason.weir at nhrs.org (jason.weir@nhrs.org) Date: 2 Nov 2009 08:54:59 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update Message-ID: MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) # Signature URI Count Description ---------------------------------------------------------------------------------------- 1 none cache/readme.pdf 941 exploits / redirects to exploits 2 none index.php 919 exploits / redirects to exploits 3 none ts/in.cgi?pepsi18 895 exploits / redirects to exploits 4 none o.js 744 redirects to rogue antivirus 5 none index.php 590 exploits 6 none download/install.php 584 rogue antivirus 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro 8 none cache/flash.swf 276 exploits / redirects to exploits 9 none load.php 254 exploits / trojan 10 none download.php 231 rogue antivirus 11 none cache/readme.pdf 227 exploits / trojan 12 none img/index.html 225 redirects to trojan 13 none cache/flash.swf 207 exploits / trojan 14 2010050 download/Antivirus_21.exe 165 rogue antivirus / personal antivirus - fakexpa 15 none 3/installer/Installer.exe 123 trojan fakerean 16 none 1/installer/Installer.exe 123 trojan fakerean 17 none 2/installer/Installer.exe 123 trojan fakerean 18 none installer_1.exe 118 rogue antivirus downloader / fakeplus 19 none installer.1.exe 115 rogue antivirus downloader / fakeplus 20 none op1.js=http://www.theriverlive.cn 115 redirects to rogue antivirus 21 2010055 pcdef.exe 101 trojan tdss / rogue antivirus 22 2010054 codec.exe 101 trojan tdss / rogue antivirus 23 none file.exe 101 trojan tdss / rogue antivirus 24 none installer_1.exe 96 rogue antivirus downloader 25 2010056 codec/197.exe 93 trojan tdss / rogue antivirus 26 none 0x3e8/setup.exe 85 trojan koobface 27 none xplay.php 84 fake codec page / directs to trojan 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 exploits 29 none download/install.php 80 rogue antivirus / internetantiviruspro 30 2010051 install/ws.exe 79 rogue antivirus From kevross33 at googlemail.com Mon Nov 2 09:10:19 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 2 Nov 2009 14:10:19 +0000 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: Message-ID: Possible sig for the fakerean trojan based on this. Thoughts? Kev alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; classtype:trojan-activity; reference:url, www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; sid:1100002; rev:1;) 2009/11/2 > MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) > > # Signature URI > Count Description > > ---------------------------------------------------------------------------------------- > > 1 none cache/readme.pdf 941 > exploits / redirects to exploits > 2 none index.php 919 > exploits / redirects to exploits > 3 none ts/in.cgi?pepsi18 895 > exploits / redirects to exploits > 4 none o.js 744 > redirects to rogue antivirus > 5 none index.php 590 > exploits > 6 none download/install.php 584 > rogue antivirus > 7 none download/install.php 300 > rogue antivirus downloader / internetantiviruspro > 8 none cache/flash.swf 276 > exploits / redirects to exploits > 9 none load.php 254 > exploits / trojan > 10 none download.php 231 > rogue antivirus > 11 none cache/readme.pdf 227 > exploits / trojan > 12 none img/index.html 225 > redirects to trojan > 13 none cache/flash.swf 207 > exploits / trojan > 14 2010050 download/Antivirus_21.exe 165 > rogue antivirus / personal antivirus - fakexpa > 15 none 3/installer/Installer.exe 123 > trojan fakerean > 16 none 1/installer/Installer.exe 123 > trojan fakerean > 17 none 2/installer/Installer.exe 123 > trojan fakerean > 18 none installer_1.exe 118 > rogue antivirus downloader / fakeplus > 19 none installer.1.exe 115 > rogue antivirus downloader / fakeplus > 20 none op1.js=http://www.theriverlive.cn > 115 redirects to rogue antivirus > 21 2010055 pcdef.exe 101 > trojan tdss / rogue antivirus > 22 2010054 codec.exe 101 > trojan tdss / rogue antivirus > 23 none file.exe 101 > trojan tdss / rogue antivirus > 24 none installer_1.exe 96 > rogue antivirus downloader > 25 2010056 codec/197.exe 93 > trojan tdss / rogue antivirus > 26 none 0x3e8/setup.exe 85 > trojan koobface > 27 none xplay.php 84 > fake codec page / directs to trojan > 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 > exploits > 29 none download/install.php 80 > rogue antivirus / internetantiviruspro > 30 2010051 install/ws.exe 79 > rogue antivirus > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/5ebc18a2/attachment-0001.html From pepperjack at afferentsecurity.com Mon Nov 2 09:14:06 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 02 Nov 2009 08:14:06 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: Message-ID: <20091102081406.prkzsbuaxw4woc08@mail.afferentsecurity.com> How should I be interpreting these duplicate lines? 6 none download/install.php 584 rogue antivirus 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jason.weir at nhrs.org Mon Nov 2 09:17:23 2009 From: jason.weir at nhrs.org (Weir, Jason) Date: Mon, 2 Nov 2009 09:17:23 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <20091102081406.prkzsbuaxw4woc08@mail.afferentsecurity.com> Message-ID: Jack, I use the description as well as the uri when compiling the data - so while the uri's are the same the descriptions are different - maybe the Malwareurl guys can tell us why - maybe they should be combined? I certainly don't know.. -Jason -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Jack Pepper Sent: Monday, November 02, 2009 9:14 AM To: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update How should I be interpreting these duplicate lines? 6 none download/install.php 584 rogue antivirus 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From evilghost at packetmail.net Mon Nov 2 09:18:32 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 2 Nov 2009 08:18:32 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: Message-ID: <4AEEEA38.3040109@packetmail.net> I really like getting this list. Based on the list below, it looks like we can likely sig with some confidence the pepsi redirect, possibly the installer.exe stuff too. Case-sensitive matching intentionally to avoid false positives. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; uricontent:"ts/in.cgi?pepsi"; pcre:"/ts\/in\.cgi\?pepsi\d+/U"; classtype:bad-unknown; reference:url,malwareurl.com; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - Potential Fakerean Trojan Download"; flow:established,to_server; uricontent:"/installer/Installer.exe"; pcre:"/\d\/installer\/Installer\.exe/U"; classtype:bad-unknown; reference:url,malwareurl.com; sid:2009xxx; rev:1;) jason.weir at nhrs.org wrote: > MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) > > # Signature URI Count Description > ---------------------------------------------------------------------------------------- > > 1 none cache/readme.pdf 941 exploits / redirects to exploits > 2 none index.php 919 exploits / redirects to exploits > 3 none ts/in.cgi?pepsi18 895 exploits / redirects to exploits > 4 none o.js 744 redirects to rogue antivirus > 5 none index.php 590 exploits > 6 none download/install.php 584 rogue antivirus > 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro > 8 none cache/flash.swf 276 exploits / redirects to exploits > 9 none load.php 254 exploits / trojan > 10 none download.php 231 rogue antivirus > 11 none cache/readme.pdf 227 exploits / trojan > 12 none img/index.html 225 redirects to trojan > 13 none cache/flash.swf 207 exploits / trojan > 14 2010050 download/Antivirus_21.exe 165 rogue antivirus / personal antivirus - fakexpa > 15 none 3/installer/Installer.exe 123 trojan fakerean > 16 none 1/installer/Installer.exe 123 trojan fakerean > 17 none 2/installer/Installer.exe 123 trojan fakerean > 18 none installer_1.exe 118 rogue antivirus downloader / fakeplus > 19 none installer.1.exe 115 rogue antivirus downloader / fakeplus > 20 none op1.js=http://www.theriverlive.cn 115 redirects to rogue antivirus > 21 2010055 pcdef.exe 101 trojan tdss / rogue antivirus > 22 2010054 codec.exe 101 trojan tdss / rogue antivirus > 23 none file.exe 101 trojan tdss / rogue antivirus > 24 none installer_1.exe 96 rogue antivirus downloader > 25 2010056 codec/197.exe 93 trojan tdss / rogue antivirus > 26 none 0x3e8/setup.exe 85 trojan koobface > 27 none xplay.php 84 fake codec page / directs to trojan > 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 exploits > 29 none download/install.php 80 rogue antivirus / internetantiviruspro > 30 2010051 install/ws.exe 79 rogue antivirus > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From shepdelacreme at gmail.com Mon Nov 2 09:19:22 2009 From: shepdelacreme at gmail.com (Daniel Shepherd) Date: Mon, 2 Nov 2009 09:19:22 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: Message-ID: <8147414144851994982@unknownmsgid> I feel like that sig is going to false like crazy and have limited utility when they change the name or path of the installer. We've played around with similar type detection and had limited to no succes with them. Dan On Nov 2, 2009, at 9:11 AM, Kevin Ross wrote: Possible sig for the fakerean trojan based on this. Thoughts? Kev alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; classtype:trojan-activity; reference:url, www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; sid:1100002; rev:1;) 2009/11/2 > MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) > > # Signature URI > Count Description > > ---------------------------------------------------------------------------------------- > > 1 none cache/readme.pdf 941 > exploits / redirects to exploits > 2 none index.php 919 > exploits / redirects to exploits > 3 none ts/in.cgi?pepsi18 895 > exploits / redirects to exploits > 4 none o.js 744 > redirects to rogue antivirus > 5 none index.php 590 > exploits > 6 none download/install.php 584 > rogue antivirus > 7 none download/install.php 300 > rogue antivirus downloader / internetantiviruspro > 8 none cache/flash.swf 276 > exploits / redirects to exploits > 9 none load.php 254 > exploits / trojan > 10 none download.php 231 > rogue antivirus > 11 none cache/readme.pdf 227 > exploits / trojan > 12 none img/index.html 225 > redirects to trojan > 13 none cache/flash.swf 207 > exploits / trojan > 14 2010050 download/Antivirus_21.exe 165 > rogue antivirus / personal antivirus - fakexpa > 15 none 3/installer/Installer.exe 123 > trojan fakerean > 16 none 1/installer/Installer.exe 123 > trojan fakerean > 17 none 2/installer/Installer.exe 123 > trojan fakerean > 18 none installer_1.exe 118 > rogue antivirus downloader / fakeplus > 19 none installer.1.exe 115 > rogue antivirus downloader / fakeplus > 20 none op1.js=http://www.theriverlive.cn > 115 redirects to rogue antivirus > 21 2010055 pcdef.exe 101 > trojan tdss / rogue antivirus > 22 2010054 codec.exe 101 > trojan tdss / rogue antivirus > 23 none file.exe 101 > trojan tdss / rogue antivirus > 24 none installer_1.exe 96 > rogue antivirus downloader > 25 2010056 codec/197.exe 93 > trojan tdss / rogue antivirus > 26 none 0x3e8/setup.exe 85 > trojan koobface > 27 none xplay.php 84 > fake codec page / directs to trojan > 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 > exploits > 29 none download/install.php 80 > rogue antivirus / internetantiviruspro > 30 2010051 install/ws.exe 79 > rogue antivirus > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/85f5b013/attachment-0001.html From kevross33 at googlemail.com Mon Nov 2 09:24:37 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 2 Nov 2009 14:24:37 +0000 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <8147414144851994982@unknownmsgid> References: <8147414144851994982@unknownmsgid> Message-ID: Another Possible Sig alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible FakePlus Trojan Related URI (Malwareurl.com Top 30)"; flow:to_server; uricontent:"Installer"; nocase; uricontent:"1"; uricontent:"|2E|exe"; pcre:"/Installer(\x2E|\x5F)1\x2Eexe/i"; classtype:trojan-activity; reference:url, sunbeltsecurity.com/threatdisplay.aspx?name=Trojan-Win32/FakePlus&tid=4294228&cs=6138F1E2731889726C4AC1C0AA7086E9; sid:1100003; rev:1;) Also I have submitted this one previously for Fakerean. Hopefully with the PCRE it won't FP as much due to the [1-3] before hand. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; classtype:trojan-activity; reference:url, www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; sid:1100002; rev:1;) Kev 2009/11/2 Daniel Shepherd > I feel like that sig is going to false like crazy and have limited utility > when they change the name or path of the installer. We've played around with > similar type detection and had limited to no succes with them. > > Dan > > On Nov 2, 2009, at 9:11 AM, Kevin Ross wrote: > > Possible sig for the fakerean trojan based on this. Thoughts? Kev > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible > Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; > uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; > pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; classtype:trojan-activity; > reference:url, > www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; > sid:1100002; rev:1;) > > 2009/11/2 < jason.weir at nhrs.org> > >> MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) >> >> # Signature URI >> Count Description >> >> ---------------------------------------------------------------------------------------- >> >> 1 none cache/readme.pdf >> 941 exploits / redirects to exploits >> 2 none index.php >> 919 exploits / redirects to exploits >> 3 none ts/in.cgi?pepsi18 >> 895 exploits / redirects to exploits >> 4 none o.js >> 744 redirects to rogue antivirus >> 5 none index.php >> 590 exploits >> 6 none download/install.php >> 584 rogue antivirus >> 7 none download/install.php >> 300 rogue antivirus downloader / internetantiviruspro >> 8 none cache/flash.swf >> 276 exploits / redirects to exploits >> 9 none load.php >> 254 exploits / trojan >> 10 none download.php >> 231 rogue antivirus >> 11 none cache/readme.pdf >> 227 exploits / trojan >> 12 none img/index.html >> 225 redirects to trojan >> 13 none cache/flash.swf >> 207 exploits / trojan >> 14 2010050 download/Antivirus_21.exe >> 165 rogue antivirus / personal antivirus - fakexpa >> 15 none 3/installer/Installer.exe >> 123 trojan fakerean >> 16 none 1/installer/Installer.exe >> 123 trojan fakerean >> 17 none 2/installer/Installer.exe >> 123 trojan fakerean >> 18 none installer_1.exe >> 118 rogue antivirus downloader / fakeplus >> 19 none installer.1.exe >> 115 rogue antivirus downloader / fakeplus >> 20 none op1.js= >> http://www.theriverlive.cn 115 redirects to rogue >> antivirus >> 21 2010055 pcdef.exe >> 101 trojan tdss / rogue antivirus >> 22 2010054 codec.exe >> 101 trojan tdss / rogue antivirus >> 23 none file.exe >> 101 trojan tdss / rogue antivirus >> 24 none installer_1.exe 96 >> rogue antivirus downloader >> 25 2010056 codec/197.exe 93 >> trojan tdss / rogue antivirus >> 26 none 0x3e8/setup.exe 85 >> trojan koobface >> 27 none xplay.php 84 >> fake codec page / directs to trojan >> 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 >> exploits >> 29 none download/install.php 80 >> rogue antivirus / internetantiviruspro >> 30 2010051 install/ws.exe 79 >> rogue antivirus >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/4f6fde28/attachment.html From jonkman at jonkmans.com Mon Nov 2 10:21:53 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 10:21:53 -0500 Subject: [Emerging-Sigs] Signature Contest Winner Message-ID: <4AEEF911.9060901@jonkmans.com> We have a winner for the month in the signature Submission Contest. Jaime Blasco has 23 submitted, so he'll be receiving the T-shirt, Lanyard and a mug! (Mugs are due in this week by the way!) Thanks Jaime! Congratulations! The contest is reset for November, let the games begin! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mike.cox52 at gmail.com Mon Nov 2 10:47:54 2009 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 2 Nov 2009 09:47:54 -0600 Subject: [Emerging-Sigs] Opachki sig In-Reply-To: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> References: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> Message-ID: <6116b9e20911020747l75cb53ebv1007b813d54dc506@mail.gmail.com> You can also detect the injected request: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:"Accept-Encoding: "; http_header; nocase; pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; classtype:trojan-activity; reference:url, www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url, www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url, www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; sid:XXXXXXX; rev:1;) The only problem is the pcre is checked for any HTTP request with an Accept-Encoding header with is most of them. I cannot really think of a more efficient way to detect it although I'm open to suggestions. Mike Cox On Sat, Oct 31, 2009 at 2:01 PM, Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Opachki Link Hijacker Traffic Redirection"; > flow:established,to_server; uricontent:"/?do=rphp"; nocase; > uricontent:"&sub="; nocase; uricontent:"&b="; nocase; > uricontent:"&q="; nocase; uricontent:"&orig="; nocase; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > ; > reference:url, > www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > ; > reference:url, > www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > ; > sid:XXXXXXX; rev:1;) > > Outstanding analysis/writeup from SecureWorks. > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/1abd656e/attachment.html From jonkman at jonkmans.com Mon Nov 2 14:52:37 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 14:52:37 -0500 Subject: [Emerging-Sigs] Opachki sig In-Reply-To: <6116b9e20911020747l75cb53ebv1007b813d54dc506@mail.gmail.com> References: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> <6116b9e20911020747l75cb53ebv1007b813d54dc506@mail.gmail.com> Message-ID: <4AEF3885.7020100@jonkmans.com> Ya, that'd be too high a load as is I think. Maybe we could try excluding normal encodings? Like gzip, etc? Is there a small enough subset to do so? Matt Mike Cox wrote: > You can also detect the injected request: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Opachki Link Hijacker HTTP Header Injection"; > flow:established,to_server; content:"Accept-Encoding: "; http_header; > nocase; pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > ; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > ; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > ; > sid:XXXXXXX; rev:1;) > > The only problem is the pcre is checked for any HTTP request with an > Accept-Encoding header with is most of them. I cannot really think of a > more efficient way to detect it although I'm open to suggestions. > > Mike Cox > > On Sat, Oct 31, 2009 at 2:01 PM, Darren Spruell > wrote: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Opachki Link Hijacker Traffic Redirection"; > flow:established,to_server; uricontent:"/?do=rphp"; nocase; > uricontent:"&sub="; nocase; uricontent:"&b="; nocase; > uricontent:"&q="; nocase; uricontent:"&orig="; nocase; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > ; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > ; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > ; > sid:XXXXXXX; rev:1;) > > Outstanding analysis/writeup from SecureWorks. > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 14:55:34 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 14:55:34 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: <8147414144851994982@unknownmsgid> Message-ID: <4AEF3936.60003@jonkmans.com> The first would be better for performance in 2 sigs, but I'm afraid of falses on the concept. Anyone have a feel for how many of those exe names we'd see legitimately? The second sig is good to go, posting now. Thanks Kevin!! Matt Kevin Ross wrote: > Another Possible Sig > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible > FakePlus Trojan Related URI (Malwareurl.com Top 30)"; flow:to_server; > uricontent:"Installer"; nocase; uricontent:"1"; uricontent:"|2E|exe"; > pcre:"/Installer(\x2E|\x5F)1\x2Eexe/i"; classtype:trojan-activity; > reference:url,sunbeltsecurity.com/threatdisplay.aspx?name=Trojan-Win32/FakePlus&tid=4294228&cs=6138F1E2731889726C4AC1C0AA7086E9 > ; > sid:1100003; rev:1;) > > Also I have submitted this one previously for Fakerean. Hopefully with > the PCRE it won't FP as much due to the [1-3] before hand. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible > Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; > uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; > pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; > classtype:trojan-activity; > reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss > ; > sid:1100002; rev:1;) > > Kev > > 2009/11/2 Daniel Shepherd > > > I feel like that sig is going to false like crazy and have limited > utility when they change the name or path of the installer. We've > played around with similar type detection and had limited to no > succes with them. > > Dan > > On Nov 2, 2009, at 9:11 AM, Kevin Ross > wrote: > >> Possible sig for the fakerean trojan based on this. Thoughts? Kev >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"Possible Fake-Rean Installer Activity (Malwareurl.com >> Top 30)"; flow:to_server; >> uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; >> pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; >> classtype:trojan-activity; reference:url, >> www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss >> ; >> sid:1100002; rev:1;) >> >> 2009/11/2 < jason.weir at nhrs.org >> > >> >> MalewareURL.com Data Contains 39079 >> Entries - Here are the top 30 (8177) >> >> # Signature URI >> Count Description >> ---------------------------------------------------------------------------------------- >> >> 1 none cache/readme.pdf >> 941 exploits / redirects to exploits >> 2 none index.php >> 919 exploits / redirects to exploits >> 3 none ts/in.cgi?pepsi18 >> 895 exploits / redirects to exploits >> 4 none o.js >> 744 redirects to rogue antivirus >> 5 none index.php >> 590 exploits >> 6 none download/install.php >> 584 rogue antivirus >> 7 none download/install.php >> 300 rogue antivirus downloader / >> internetantiviruspro >> 8 none cache/flash.swf >> 276 exploits / redirects to exploits >> 9 none load.php >> 254 exploits / trojan >> 10 none download.php >> 231 rogue antivirus >> 11 none cache/readme.pdf >> 227 exploits / trojan >> 12 none img/index.html >> 225 redirects to trojan >> 13 none cache/flash.swf >> 207 exploits / trojan >> 14 2010050 download/Antivirus_21.exe >> 165 rogue antivirus / personal antivirus - fakexpa >> 15 none 3/installer/Installer.exe >> 123 trojan fakerean >> 16 none 1/installer/Installer.exe >> 123 trojan fakerean >> 17 none 2/installer/Installer.exe >> 123 trojan fakerean >> 18 none installer_1.exe >> 118 rogue antivirus downloader / fakeplus >> 19 none installer.1.exe >> 115 rogue antivirus downloader / fakeplus >> 20 none op1.js= >> http://www.theriverlive.cn >> 115 redirects to rogue antivirus >> 21 2010055 pcdef.exe >> 101 trojan tdss / rogue antivirus >> 22 2010054 codec.exe >> 101 trojan tdss / rogue antivirus >> 23 none file.exe >> 101 trojan tdss / rogue antivirus >> 24 none installer_1.exe >> 96 rogue antivirus downloader >> 25 2010056 codec/197.exe >> 93 trojan tdss / rogue antivirus >> 26 none 0x3e8/setup.exe >> 85 trojan koobface >> 27 none xplay.php >> 84 fake codec page / directs to trojan >> 28 none >> webalizer/050709wareza/crack=17=keygen=serial.html 82 >> exploits >> 29 none download/install.php >> 80 rogue antivirus / internetantiviruspro >> 30 2010051 install/ws.exe >> 79 rogue antivirus >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:02:55 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:02:55 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4AEEEA38.3040109@packetmail.net> References: <4AEEEA38.3040109@packetmail.net> Message-ID: <4AEF3AEF.6040409@jonkmans.com> Posting, thanks!! Putting them in current events so we will remember to time them out later. Matt evilghost at packetmail.net wrote: > I really like getting this list. Based on the list below, it looks like > we can likely sig with some confidence the pepsi redirect, possibly the > installer.exe stuff too. Case-sensitive matching intentionally to avoid > false positives. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - > Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; > uricontent:"ts/in.cgi?pepsi"; pcre:"/ts\/in\.cgi\?pepsi\d+/U"; > classtype:bad-unknown; reference:url,malwareurl.com; sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - > Potential Fakerean Trojan Download"; flow:established,to_server; > uricontent:"/installer/Installer.exe"; > pcre:"/\d\/installer\/Installer\.exe/U"; classtype:bad-unknown; > reference:url,malwareurl.com; sid:2009xxx; rev:1;) > > jason.weir at nhrs.org wrote: >> MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) >> >> # Signature URI Count Description >> ---------------------------------------------------------------------------------------- >> >> 1 none cache/readme.pdf 941 exploits / redirects to exploits >> 2 none index.php 919 exploits / redirects to exploits >> 3 none ts/in.cgi?pepsi18 895 exploits / redirects to exploits >> 4 none o.js 744 redirects to rogue antivirus >> 5 none index.php 590 exploits >> 6 none download/install.php 584 rogue antivirus >> 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro >> 8 none cache/flash.swf 276 exploits / redirects to exploits >> 9 none load.php 254 exploits / trojan >> 10 none download.php 231 rogue antivirus >> 11 none cache/readme.pdf 227 exploits / trojan >> 12 none img/index.html 225 redirects to trojan >> 13 none cache/flash.swf 207 exploits / trojan >> 14 2010050 download/Antivirus_21.exe 165 rogue antivirus / personal antivirus - fakexpa >> 15 none 3/installer/Installer.exe 123 trojan fakerean >> 16 none 1/installer/Installer.exe 123 trojan fakerean >> 17 none 2/installer/Installer.exe 123 trojan fakerean >> 18 none installer_1.exe 118 rogue antivirus downloader / fakeplus >> 19 none installer.1.exe 115 rogue antivirus downloader / fakeplus >> 20 none op1.js=http://www.theriverlive.cn 115 redirects to rogue antivirus >> 21 2010055 pcdef.exe 101 trojan tdss / rogue antivirus >> 22 2010054 codec.exe 101 trojan tdss / rogue antivirus >> 23 none file.exe 101 trojan tdss / rogue antivirus >> 24 none installer_1.exe 96 rogue antivirus downloader >> 25 2010056 codec/197.exe 93 trojan tdss / rogue antivirus >> 26 none 0x3e8/setup.exe 85 trojan koobface >> 27 none xplay.php 84 fake codec page / directs to trojan >> 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 exploits >> 29 none download/install.php 80 rogue antivirus / internetantiviruspro >> 30 2010051 install/ws.exe 79 rogue antivirus >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:05:32 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:05:32 -0500 Subject: [Emerging-Sigs] SIG:Cherokee Web Server GET AUX DOS In-Reply-To: References: Message-ID: <4AEF3B8C.1090105@jonkmans.com> Is the vulnerability case sensitive? Matt Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of > Service Attempt"; flow:established,to_server; content:"GET |2F|AUX > HTTP|2F|1|2E|"; nocase; depth:16; classtype:attempted-dos; > reference:url,securitytracker.com/alerts/2009/Oct/1023095.html > ; > reference:url,www.securityfocus.com/bid/36814/info > ; > reference:url,www.securityfocus.com/archive/1/507456 > ; sid:1100001; rev:1;) > > Simple sig for this. Comments anyone? > > Kev > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:08:52 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:08:52 -0500 Subject: [Emerging-Sigs] updated sig In-Reply-To: <4AEE717A.6070006@googlemail.com> References: <4AEE717A.6070006@googlemail.com> Message-ID: <4AEF3C54.4060103@jonkmans.com> Updated, thanks Wolvee! Matt Wolvee wrote: > In content:"GWComposeCtl.SetFontFace"; GWComposeCtl is object name. it is variable. > > Updated sig: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; distance:0; content:"SetFontFace"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Novell; sid:2009923; rev:5;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:16:31 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:16:31 -0500 Subject: [Emerging-Sigs] SIG:Mambo Cache_Lite Class mosConfig_absolute_path RFI In-Reply-To: References: Message-ID: <4AEF3E1F.1060801@jonkmans.com> Posted, thanks! Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APP Possible Mambo Cache_Lite Class mosConfig_absolute_path > Remote File Inclusion Attempt"; flow:established,to_server; > uricontent:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; > nocase; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F\x2F/Ui"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/29716/info > ; > reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb > ; > sid:15000001; rev:1;) > > Kev > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:19:18 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:19:18 -0500 Subject: [Emerging-Sigs] Opachki sig In-Reply-To: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> References: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> Message-ID: <4AEF3EC6.2000005@jonkmans.com> Posted, thanks Darren! Matt Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Opachki Link Hijacker Traffic Redirection"; > flow:established,to_server; uricontent:"/?do=rphp"; nocase; > uricontent:"&sub="; nocase; uricontent:"&b="; nocase; > uricontent:"&q="; nocase; uricontent:"&orig="; nocase; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; > sid:XXXXXXX; rev:1;) > > Outstanding analysis/writeup from SecureWorks. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:22:18 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:22:18 -0500 Subject: [Emerging-Sigs] Fwd: Mariposa with flowbits In-Reply-To: <2BACE490-093C-40DE-A716-0FE60B1D69FF@auckland.ac.nz> References: <4AEB33C6.8000700@uni.edu> <2BACE490-093C-40DE-A716-0FE60B1D69FF@auckland.ac.nz> Message-ID: <4AEF3F7A.2080101@jonkmans.com> Excellent, posted!! Matt Russell Fulton wrote: > Posted to a .edu security list... > > Begin forwarded message: > >> From: Ken Connelly >> Date: 31 October 2009 7:43:18 AM NZDT >> Subject: [RI-OPS] Mariposa with flowbits >> >> > > alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN > Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; > depth:1; classtype:trojan-activity; flowbits:noalert; > flowbits:set,KC.MariposaJoin; sid:2009103001; rev:1;) > alert udp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN > Palevo/BFBot/Mariposa server join acknowledgement"; dsize:8; > content:"|40|"; depth:1; classtype:trojan-activity; > flowbits:isset,KC.MariposaJoin; sid:2009103002; rev:1;) > > >> - -- >> - - Ken >> ================================================================= >> Ken Connelly Associate Director, Security and Systems >> ITS Network Services University of Northern Iowa >> email: Ken.Connelly at uni.edu p: (319) 273-5850 f: (319) 273-7373 > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 2 15:24:44 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 02 Nov 2009 15:24:44 -0500 Subject: [Emerging-Sigs] ET TROJAN Bredolab Infection In-Reply-To: <839aec700910301839p56ef69d3u8d08c88cf789ed91@mail.gmail.com> References: <928A230D9BF84FB3ACB62A46C2DAF16C@cpc.uea.ac.uk> <839aec700910301741n18866842ldf6bb9eb34fb8ac7@mail.gmail.com> <839aec700910301836w512e0263ndd7b3ee9c669c835@mail.gmail.com> <839aec700910301839p56ef69d3u8d08c88cf789ed91@mail.gmail.com> Message-ID: <4AEF400C.70604@jonkmans.com> Done and done, thanks! Matt Darren Spruell wrote: > Is this related to the same malware? Same update here too if so. > > DS > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Bredolab Infection - Windows Key"; flo > w:established,to_server; uricontent:"?s=Windows"; nocase; > uricontent:"&p="; nocase; > pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/"; nocase; > classtype:trojan > -activity; reference:url,doc.emergingthreats.net/2010072; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; > sid:2010072; > rev:3;) > > On Fri, Oct 30, 2009 at 6:36 PM, Darren Spruell wrote: >> http://www.threatexpert.com/report.aspx?md5=e21b03355a2d11881f1035c9c52407e2 >> http://www.threatexpert.com/report.aspx?md5=cbdf7e8df671a22a5b7feca266057226 >> http://www.threatexpert.com/report.aspx?md5=dcfa4ff264b50db95fe2dd8a10c83e3d >> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A >> >> Microsoft and a couple of others call this Hiloti, others Vundo FWIW. >> >> Mod? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Hiloti Downloader Checkin"; flow:established,to_server; >> uricontent:"/get.php?"; nocase; uricontent:"c="; nocase; >> uricontent:"&d="; nocase; classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2010071; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; >> reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; >> sid:2010071; rev:3;) >> >> DS >> >> >> On Fri, Oct 30, 2009 at 5:41 PM, Darren Spruell wrote: >>> The rule and and your payload doesn't match Bredolab (a good reference >>> on which would be >>> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_bredolab_files.pdf). >>> Another case of mistaken malware identities, I think. >>> >>> 95.211.27.211 has a lot of host names associated with it: >>> >>> http://www.bfk.de/bfk_dnslogger.html?query=95.211.27.211#result >>> >>> Searching for those SLD names will get you results for what some are >>> picking up as a downloader, e.g.: >>> >>> http://www.threatexpert.com/report.aspx?md5=e21b03355a2d11881f1035c9c52407e2 >>> http://www.prevx.com/filenames/X1214314979589951818-X1/SHOKAN_C96DA20F809D6B1FD8A940BD9968F953%5B.html >>> >>> hXXp://061507d9100b.giselin.com/get.php?c=RRFKEMKZ&d=26606B6739323F362E64636F317E3E3D21262224242C3062717D272E25252D5D64121415161C10131C1E6C121C181A1E007505010007060601000C1D5F51485A327C75736224222A75786C243F3B2B3D6D647C6272213F3433646A6B6C6D6F6C5859575A421 >>> >>> E.g. yields: >>> >>> HTTP/1.1 200 OK >>> Content-Type: text/html >>> Server: gws >>> Date: Sat, 31 Oct 2009 00:18:32 GMT >>> X-Powered-By: PHP/5.2.11 >>> Content-Length: 120 >>> >>> 3C3E7A6E682570627A7A636462302C3E3E213033717B75787C70747C213F6B6B460C1A011B1B2C1B5044464F4D594F113A0D1D4B595952564C580431 >>> >>> DS >>> >>> On Fri, Oct 30, 2009 at 9:46 AM, James wrote: >>>> Hi, >>>> >>>> Could I draw on your collective experience please? How confident can I be in >>>> the "ET TROJAN Bredolab Infection - checkin" rule? I have a few machines >>>> (Windows XP) connecting to "95.211.27.211" which are triggering it. I am >>>> currently checking one of those machines remotely and haven't come across >>>> signs of an infection yet. The user has installed Skype and Spotify but I >>>> would expect both of those to be on a lot more of our machines than just >>>> these few that are triggering this. The packet that triggered it contained: >>>> >>>> 000 : 47 45 54 20 2F 67 65 74 2E 70 68 70 3F 63 3D 50 GET /get.php?c=P >>>> 010 : 5A 58 55 54 4B 49 52 26 64 3D 32 36 36 30 36 42 ZXUTKIR&d=26606B >>>> 020 : 36 37 33 39 33 34 33 32 32 31 36 35 36 30 36 45 673934322165606E >>>> 030 : 33 36 37 46 33 44 33 43 33 45 32 37 32 31 32 35 367F3D3C3E272125 >>>> 040 : 32 33 32 44 33 33 36 33 37 45 37 43 32 34 35 43 232D33637E7C245C >>>> 050 : 35 38 35 41 35 43 32 36 32 41 31 30 31 39 36 31 585A5C262A101961 >>>> 060 : 31 34 36 32 36 31 31 32 31 32 36 45 36 46 31 33 14626112126E6F13 >>>> 070 : 31 46 31 44 31 44 36 46 31 43 30 37 30 38 30 42 1F1D1D6F1C07080B >>>> 080 : 30 35 30 44 30 43 37 34 30 35 30 31 37 42 31 43 050D0C7405017B1C >>>> 090 : 35 38 35 30 34 42 35 42 34 44 37 44 37 37 37 34 58504B5B4D7D7774 >>>> 0a0 : 36 35 32 35 32 31 32 42 37 41 37 38 36 46 32 35 6525212B7A786F25 >>>> 0b0 : 33 38 33 41 32 38 33 43 37 32 36 35 37 46 36 33 383A283C72657F63 >>>> 0c0 : 37 35 32 30 33 43 33 35 33 43 36 35 36 38 36 38 75203C353C656868 >>>> 0d0 : 36 46 36 38 36 35 36 36 36 39 35 36 35 34 35 34 6F68656669565454 >>>> 0e0 : 34 35 31 34 30 43 30 32 35 41 35 38 30 43 35 45 45140C025A580C5E >>>> 0f0 : 35 33 34 41 31 44 31 43 30 30 31 33 34 43 33 37 534A1D1C00134C37 >>>> 100 : 30 42 30 34 31 39 31 39 30 35 31 44 30 42 35 34 0B041919051D0B54 >>>> 110 : 33 45 32 34 33 38 35 38 31 33 45 34 46 33 44 44 3E24385813E4F3DD >>>> 120 : 45 36 42 39 42 35 41 30 45 34 45 34 45 37 46 45 E6B9B5A0E4E4E7FE >>>> 130 : 44 34 45 39 42 30 42 46 41 39 45 37 41 37 41 36 D4E9B0BFA9E7A7A6 >>>> 140 : 41 45 41 34 42 33 44 33 44 38 43 41 20 48 54 54 AEA4B3D3D8CA HTT >>>> 150 : 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E P/1.1..User-Agen >>>> 160 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 ( >>>> 170 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE >>>> 180 : 20 37 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 7.0; Windows NT >>>> 190 : 20 35 2E 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31 5.1; .NET CLR 1 >>>> 1a0 : 2E 31 2E 34 33 32 32 29 0D 0A 48 6F 73 74 3A 20 .1.4322)..Host: >>>> 1b0 : 31 36 33 30 30 37 64 39 31 30 30 31 2E 73 65 61 163007d91001.sea >>>> 1c0 : 72 63 68 66 65 65 64 6E 6F 64 65 2E 6E 65 74 0D rchfeednode.net. >>>> 1d0 : 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 .Cache-Control: >>>> 1e0 : 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A no-cache.... >>>> >>>> Cheers >>>> James >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>> >>> >>> -- >>> Darren Spruell >>> phatbuckett at gmail.com >>> >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jason.weir at nhrs.org Mon Nov 2 15:39:57 2009 From: jason.weir at nhrs.org (Weir, Jason) Date: Mon, 2 Nov 2009 15:39:57 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4AEF3AEF.6040409@jonkmans.com> Message-ID: OK - so I don't get confused - what SIDs go with which items on the Malwareurl.com list? -J -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt Jonkman Sent: Monday, November 02, 2009 3:03 PM To: evilghost at packetmail.net Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update Posting, thanks!! Putting them in current events so we will remember to time them out later. Matt evilghost at packetmail.net wrote: > I really like getting this list. Based on the list below, it looks like > we can likely sig with some confidence the pepsi redirect, possibly the > installer.exe stuff too. Case-sensitive matching intentionally to avoid > false positives. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - > Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; > uricontent:"ts/in.cgi?pepsi"; pcre:"/ts\/in\.cgi\?pepsi\d+/U"; > classtype:bad-unknown; reference:url,malwareurl.com; sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Malware - > Potential Fakerean Trojan Download"; flow:established,to_server; > uricontent:"/installer/Installer.exe"; > pcre:"/\d\/installer\/Installer\.exe/U"; classtype:bad-unknown; > reference:url,malwareurl.com; sid:2009xxx; rev:1;) > > jason.weir at nhrs.org wrote: >> MalewareURL.com Data Contains 39079 Entries - Here are the top 30 (8177) >> >> # Signature URI Count Description >> ------------------------------------------------------------------------ ---------------- >> >> 1 none cache/readme.pdf 941 exploits / redirects to exploits >> 2 none index.php 919 exploits / redirects to exploits >> 3 none ts/in.cgi?pepsi18 895 exploits / redirects to exploits >> 4 none o.js 744 redirects to rogue antivirus >> 5 none index.php 590 exploits >> 6 none download/install.php 584 rogue antivirus >> 7 none download/install.php 300 rogue antivirus downloader / internetantiviruspro >> 8 none cache/flash.swf 276 exploits / redirects to exploits >> 9 none load.php 254 exploits / trojan >> 10 none download.php 231 rogue antivirus >> 11 none cache/readme.pdf 227 exploits / trojan >> 12 none img/index.html 225 redirects to trojan >> 13 none cache/flash.swf 207 exploits / trojan >> 14 2010050 download/Antivirus_21.exe 165 rogue antivirus / personal antivirus - fakexpa >> 15 none 3/installer/Installer.exe 123 trojan fakerean >> 16 none 1/installer/Installer.exe 123 trojan fakerean >> 17 none 2/installer/Installer.exe 123 trojan fakerean >> 18 none installer_1.exe 118 rogue antivirus downloader / fakeplus >> 19 none installer.1.exe 115 rogue antivirus downloader / fakeplus >> 20 none op1.js=http://www.theriverlive.cn 115 redirects to rogue antivirus >> 21 2010055 pcdef.exe 101 trojan tdss / rogue antivirus >> 22 2010054 codec.exe 101 trojan tdss / rogue antivirus >> 23 none file.exe 101 trojan tdss / rogue antivirus >> 24 none installer_1.exe 96 rogue antivirus downloader >> 25 2010056 codec/197.exe 93 trojan tdss / rogue antivirus >> 26 none 0x3e8/setup.exe 85 trojan koobface >> 27 none xplay.php 84 fake codec page / directs to trojan >> 28 none webalizer/050709wareza/crack=17=keygen=serial.html 82 exploits >> 29 none download/install.php 80 rogue antivirus / internetantiviruspro >> 30 2010051 install/ws.exe 79 rogue antivirus _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From mike.cox52 at gmail.com Mon Nov 2 15:58:18 2009 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 2 Nov 2009 14:58:18 -0600 Subject: [Emerging-Sigs] Opachki sig In-Reply-To: <4AEF3885.7020100@jonkmans.com> References: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> <6116b9e20911020747l75cb53ebv1007b813d54dc506@mail.gmail.com> <4AEF3885.7020100@jonkmans.com> Message-ID: <6116b9e20911021258u45e0876ci8fd6cbfcd1d8af76@mail.gmail.com> Hmmm, that could work. Check out http://www.iana.org/assignments/http-parameters and chew on this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:"Accept-Encoding: "; http_header; nocase; content:!"Accept-Encoding: gzip"; http_header; nocase; content:!"Accept-Encoding: deflate"; http_header; nocase; content:!"Accept-Encoding: compress"; http_header; nocase; content:!"Accept-Encoding: |2a|"; http_header; nocase; content:!"Accept-Encoding: exi"; http_header; nocase; content:!"Accept-Encoding: identity"; http_header; nocase; content:!"Accept-Encoding: pack200-gzip"; http_header; nocase; pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; classtype:trojan-activity; reference:url, www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url, www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url, www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,http://www.iana.org/assignments/http-parameters; sid:XXXXXXX; rev:2;) Mike Cox On Mon, Nov 2, 2009 at 1:52 PM, Matt Jonkman wrote: > Ya, that'd be too high a load as is I think. > > Maybe we could try excluding normal encodings? Like gzip, etc? Is there > a small enough subset to do so? > > Matt > > Mike Cox wrote: > > You can also detect the injected request: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > > Opachki Link Hijacker HTTP Header Injection"; > > flow:established,to_server; content:"Accept-Encoding: "; http_header; > > nocase; pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; > > classtype:trojan-activity; > > reference:url, > www.secureworks.com/research/threats/opachki/?threat=opachki > > ; > > reference:url, > www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > > < > http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > >; > > reference:url, > www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > > < > http://www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > >; > > sid:XXXXXXX; rev:1;) > > > > The only problem is the pcre is checked for any HTTP request with an > > Accept-Encoding header with is most of them. I cannot really think of a > > more efficient way to detect it although I'm open to suggestions. > > > > Mike Cox > > > > On Sat, Oct 31, 2009 at 2:01 PM, Darren Spruell > > wrote: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > > Opachki Link Hijacker Traffic Redirection"; > > flow:established,to_server; uricontent:"/?do=rphp"; nocase; > > uricontent:"&sub="; nocase; uricontent:"&b="; nocase; > > uricontent:"&q="; nocase; uricontent:"&orig="; nocase; > > classtype:trojan-activity; > > reference:url, > www.secureworks.com/research/threats/opachki/?threat=opachki > > >; > > reference:url, > www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > > < > http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > >; > > reference:url, > www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > > < > http://www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > >; > > sid:XXXXXXX; rev:1;) > > > > Outstanding analysis/writeup from SecureWorks. > > > > -- > > Darren Spruell > > phatbuckett at gmail.com > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/6f7b5cd6/attachment-0001.html From emerging at emergingthreats.net Mon Nov 2 16:00:17 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 2 Nov 2009 16:00:17 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091102210017.E2BCD45031@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Nov 2 16:00:17 2009 [***] [+++] Added rules: [+++] 2010221 - ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) (emerging-virus.rules) 2010222 - ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi (emerging-current_events.rules) 2010223 - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010224 - ET TROJAN Opachki Link Hijacker Traffic Redirection (emerging-virus.rules) 2010225 - ET TROJAN Palevo/BFBot/Mariposa client join attempt (emerging-virus.rules) 2010226 - ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement (emerging-virus.rules) 2406958 - ET RBN Known Russian Business Network IP TCP (480) (emerging-rbn.rules) 2406959 - ET RBN Known Russian Business Network IP UDP (480) (emerging-rbn.rules) 2406960 - ET RBN Known Russian Business Network IP TCP (481) (emerging-rbn.rules) 2406961 - ET RBN Known Russian Business Network IP UDP (481) (emerging-rbn.rules) 2406962 - ET RBN Known Russian Business Network IP TCP (482) (emerging-rbn.rules) 2406963 - ET RBN Known Russian Business Network IP UDP (482) (emerging-rbn.rules) 2406964 - ET RBN Known Russian Business Network IP TCP (483) (emerging-rbn.rules) 2406965 - ET RBN Known Russian Business Network IP UDP (483) (emerging-rbn.rules) 2406966 - ET RBN Known Russian Business Network IP TCP (484) (emerging-rbn.rules) 2406967 - ET RBN Known Russian Business Network IP UDP (484) (emerging-rbn.rules) 2406968 - ET RBN Known Russian Business Network IP TCP (485) (emerging-rbn.rules) 2406969 - ET RBN Known Russian Business Network IP UDP (485) (emerging-rbn.rules) 2407958 - ET RBN Known Russian Business Network IP TCP - BLOCKING (480) (emerging-rbn-BLOCK.rules) 2407959 - ET RBN Known Russian Business Network IP UDP - BLOCKING (480) (emerging-rbn-BLOCK.rules) 2407960 - ET RBN Known Russian Business Network IP TCP - BLOCKING (481) (emerging-rbn-BLOCK.rules) 2407961 - ET RBN Known Russian Business Network IP UDP - BLOCKING (481) (emerging-rbn-BLOCK.rules) 2407962 - ET RBN Known Russian Business Network IP TCP - BLOCKING (482) (emerging-rbn-BLOCK.rules) 2407963 - ET RBN Known Russian Business Network IP UDP - BLOCKING (482) (emerging-rbn-BLOCK.rules) 2407964 - ET RBN Known Russian Business Network IP TCP - BLOCKING (483) (emerging-rbn-BLOCK.rules) 2407965 - ET RBN Known Russian Business Network IP UDP - BLOCKING (483) (emerging-rbn-BLOCK.rules) 2407966 - ET RBN Known Russian Business Network IP TCP - BLOCKING (484) (emerging-rbn-BLOCK.rules) 2407967 - ET RBN Known Russian Business Network IP UDP - BLOCKING (484) (emerging-rbn-BLOCK.rules) 2407968 - ET RBN Known Russian Business Network IP TCP - BLOCKING (485) (emerging-rbn-BLOCK.rules) 2407969 - ET RBN Known Russian Business Network IP UDP - BLOCKING (485) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2009923 - ET WEB_CLIENT ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt (emerging-web_client.rules) 2406000 - ET RBN Known Russian Business Network IP TCP (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network IP UDP (1) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network IP TCP (2) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network IP UDP (2) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network IP TCP (3) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network IP UDP (3) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network IP TCP (4) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network IP UDP (4) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network IP TCP (5) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network IP UDP (5) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network IP TCP (6) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network IP UDP (6) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network IP TCP (7) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network IP UDP (7) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network IP TCP (8) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network IP UDP (8) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network IP TCP (9) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network IP UDP (9) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network IP TCP (10) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network IP UDP (10) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network IP TCP (11) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network IP UDP (11) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network IP TCP (12) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network IP UDP (12) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network IP TCP (13) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network IP UDP (13) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network IP TCP (14) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network IP UDP (14) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network IP TCP (15) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network IP UDP (15) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network IP TCP (16) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network IP UDP (16) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network IP TCP (17) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network IP UDP (17) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network IP TCP (18) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network IP UDP (18) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network IP TCP (19) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network IP UDP (19) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network IP TCP (20) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network IP UDP (20) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network IP TCP (21) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network IP UDP (21) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network IP TCP (22) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network IP UDP (22) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network IP TCP (23) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network IP UDP (23) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network IP TCP (24) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network IP UDP (24) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network IP TCP (25) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network IP UDP (25) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network IP TCP (26) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network IP UDP (26) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network IP TCP (27) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network IP UDP (27) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network IP TCP (28) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network IP UDP (28) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network IP TCP (29) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network IP UDP (29) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network IP TCP (30) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network IP UDP (30) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network IP TCP (31) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network IP UDP (31) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network IP TCP (32) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network IP UDP (32) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network IP TCP (33) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network IP UDP (33) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network IP TCP (34) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network IP UDP (34) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network IP TCP (35) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network IP UDP (35) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network IP TCP (36) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network IP UDP (36) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network IP TCP (37) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network IP UDP (37) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network IP TCP (38) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network IP UDP (38) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network IP TCP (39) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network IP UDP (39) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network IP TCP (40) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network IP UDP (40) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network IP TCP (41) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network IP UDP (41) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network IP TCP (42) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network IP UDP (42) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network IP TCP (43) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network IP UDP (43) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network IP TCP (44) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network IP UDP (44) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network IP TCP (45) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network IP UDP (45) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network IP TCP (46) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network IP UDP (46) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network IP TCP (47) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network IP UDP (47) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network IP TCP (48) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network IP UDP (48) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network IP TCP (49) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network IP UDP (49) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network IP TCP (50) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network IP UDP (50) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network IP TCP (51) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network IP UDP (51) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network IP TCP (52) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network IP UDP (52) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network IP TCP (53) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network IP UDP (53) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network IP TCP (54) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network IP UDP (54) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network IP TCP (55) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network IP UDP (55) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network IP TCP (56) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network IP UDP (56) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network IP TCP (57) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network IP UDP (57) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network IP TCP (58) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network IP UDP (58) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network IP TCP (59) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network IP UDP (59) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network IP TCP (60) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network IP UDP (60) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network IP TCP (61) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network IP UDP (61) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network IP TCP (62) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network IP UDP (62) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network IP TCP (63) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network IP UDP (63) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network IP TCP (64) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network IP UDP (64) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network IP TCP (65) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network IP UDP (65) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network IP TCP (66) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network IP UDP (66) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network IP TCP (67) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network IP UDP (67) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network IP TCP (68) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network IP UDP (68) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network IP TCP (69) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network IP UDP (69) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network IP TCP (70) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network IP UDP (70) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network IP TCP (71) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network IP UDP (71) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network IP TCP (72) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network IP UDP (72) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network IP TCP (73) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network IP UDP (73) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network IP TCP (74) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network IP UDP (74) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network IP TCP (75) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network IP UDP (75) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network IP TCP (76) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network IP UDP (76) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network IP TCP (77) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network IP UDP (77) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network IP TCP (78) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network IP UDP (78) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network IP TCP (79) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network IP UDP (79) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network IP TCP (80) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network IP UDP (80) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network IP TCP (81) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network IP UDP (81) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network IP TCP (82) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network IP UDP (82) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network IP TCP (83) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network IP UDP (83) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network IP TCP (84) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network IP UDP (84) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network IP TCP (85) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network IP UDP (85) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network IP TCP (86) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network IP UDP (86) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network IP TCP (87) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network IP UDP (87) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network IP TCP (88) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network IP UDP (88) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network IP TCP (89) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network IP UDP (89) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network IP TCP (90) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network IP UDP (90) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network IP TCP (91) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network IP UDP (91) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network IP TCP (92) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network IP UDP (92) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network IP TCP (93) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network IP UDP (93) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network IP TCP (94) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network IP UDP (94) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network IP TCP (95) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network IP UDP (95) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network IP TCP (96) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network IP UDP (96) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network IP TCP (97) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network IP UDP (97) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network IP TCP (98) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network IP UDP (98) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network IP TCP (99) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network IP UDP (99) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network IP TCP (100) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network IP UDP (100) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network IP TCP (101) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network IP UDP (101) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network IP TCP (102) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network IP UDP (102) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network IP TCP (103) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network IP UDP (103) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network IP TCP (104) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network IP UDP (104) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network IP TCP (105) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network IP UDP (105) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network IP TCP (106) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network IP UDP (106) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network IP TCP (107) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network IP UDP (107) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network IP TCP (108) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network IP UDP (108) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network IP TCP (109) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network IP UDP (109) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network IP TCP (110) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network IP UDP (110) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network IP TCP (111) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network IP UDP (111) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network IP TCP (112) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network IP UDP (112) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network IP TCP (113) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network IP UDP (113) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network IP TCP (114) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network IP UDP (114) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network IP TCP (115) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network IP UDP (115) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network IP TCP (116) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network IP UDP (116) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network IP TCP (117) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network IP UDP (117) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network IP TCP (118) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network IP UDP (118) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network IP TCP (119) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network IP UDP (119) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network IP TCP (120) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network IP UDP (120) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network IP TCP (121) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network IP UDP (121) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network IP TCP (122) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network IP UDP (122) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network IP TCP (123) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network IP UDP (123) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network IP TCP (124) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network IP UDP (124) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network IP TCP (125) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network IP UDP (125) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network IP TCP (126) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network IP UDP (126) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network IP TCP (127) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network IP UDP (127) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network IP TCP (128) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network IP UDP (128) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network IP TCP (129) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network IP UDP (129) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network IP TCP (130) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network IP UDP (130) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network IP TCP (131) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network IP UDP (131) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network IP TCP (132) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network IP UDP (132) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network IP TCP (133) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network IP UDP (133) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network IP TCP (134) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network IP UDP (134) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network IP TCP (135) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network IP UDP (135) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network IP TCP (136) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network IP UDP (136) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network IP TCP (137) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network IP UDP (137) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network IP TCP (138) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network IP UDP (138) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network IP TCP (139) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network IP UDP (139) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network IP TCP (140) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network IP UDP (140) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network IP TCP (141) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network IP UDP (141) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network IP TCP (142) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network IP UDP (142) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network IP TCP (143) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network IP UDP (143) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network IP TCP (144) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network IP UDP (144) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network IP TCP (145) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network IP UDP (145) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network IP TCP (146) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network IP UDP (146) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network IP TCP (147) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network IP UDP (147) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network IP TCP (148) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network IP UDP (148) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network IP TCP (149) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network IP UDP (149) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network IP TCP (150) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network IP UDP (150) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network IP TCP (151) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network IP UDP (151) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network IP TCP (152) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network IP UDP (152) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network IP TCP (153) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network IP UDP (153) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network IP TCP (154) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network IP UDP (154) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network IP TCP (155) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network IP UDP (155) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network IP TCP (156) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network IP UDP (156) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network IP TCP (157) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network IP UDP (157) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network IP TCP (158) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network IP UDP (158) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network IP TCP (159) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network IP UDP (159) (emerging-rbn.rules) 2406318 - ET RBN Known Russian Business Network IP TCP (160) (emerging-rbn.rules) 2406319 - ET RBN Known Russian Business Network IP UDP (160) (emerging-rbn.rules) 2406320 - ET RBN Known Russian Business Network IP TCP (161) (emerging-rbn.rules) 2406321 - ET RBN Known Russian Business Network IP UDP (161) (emerging-rbn.rules) 2406322 - ET RBN Known Russian Business Network IP TCP (162) (emerging-rbn.rules) 2406323 - ET RBN Known Russian Business Network IP UDP (162) (emerging-rbn.rules) 2406324 - ET RBN Known Russian Business Network IP TCP (163) (emerging-rbn.rules) 2406325 - ET RBN Known Russian Business Network IP UDP (163) (emerging-rbn.rules) 2406326 - ET RBN Known Russian Business Network IP TCP (164) (emerging-rbn.rules) 2406327 - ET RBN Known Russian Business Network IP UDP (164) (emerging-rbn.rules) 2406328 - ET RBN Known Russian Business Network IP TCP (165) (emerging-rbn.rules) 2406329 - ET RBN Known Russian Business Network IP UDP (165) (emerging-rbn.rules) 2406330 - ET RBN Known Russian Business Network IP TCP (166) (emerging-rbn.rules) 2406331 - ET RBN Known Russian Business Network IP UDP (166) (emerging-rbn.rules) 2406332 - ET RBN Known Russian Business Network IP TCP (167) (emerging-rbn.rules) 2406333 - ET RBN Known Russian Business Network IP UDP (167) (emerging-rbn.rules) 2406334 - ET RBN Known Russian Business Network IP TCP (168) (emerging-rbn.rules) 2406335 - ET RBN Known Russian Business Network IP UDP (168) (emerging-rbn.rules) 2406336 - ET RBN Known Russian Business Network IP TCP (169) (emerging-rbn.rules) 2406337 - ET RBN Known Russian Business Network IP UDP (169) (emerging-rbn.rules) 2406338 - ET RBN Known Russian Business Network IP TCP (170) (emerging-rbn.rules) 2406339 - ET RBN Known Russian Business Network IP UDP (170) (emerging-rbn.rules) 2406340 - ET RBN Known Russian Business Network IP TCP (171) (emerging-rbn.rules) 2406341 - ET RBN Known Russian Business Network IP UDP (171) (emerging-rbn.rules) 2406342 - ET RBN Known Russian Business Network IP TCP (172) (emerging-rbn.rules) 2406343 - ET RBN Known Russian Business Network IP UDP (172) (emerging-rbn.rules) 2406344 - ET RBN Known Russian Business Network IP TCP (173) (emerging-rbn.rules) 2406345 - ET RBN Known Russian Business Network IP UDP (173) (emerging-rbn.rules) 2406346 - ET RBN Known Russian Business Network IP TCP (174) (emerging-rbn.rules) 2406347 - ET RBN Known Russian Business Network IP UDP (174) (emerging-rbn.rules) 2406348 - ET RBN Known Russian Business Network IP TCP (175) (emerging-rbn.rules) 2406349 - ET RBN Known Russian Business Network IP UDP (175) (emerging-rbn.rules) 2406350 - ET RBN Known Russian Business Network IP TCP (176) (emerging-rbn.rules) 2406351 - ET RBN Known Russian Business Network IP UDP (176) (emerging-rbn.rules) 2406352 - ET RBN Known Russian Business Network IP TCP (177) (emerging-rbn.rules) 2406353 - ET RBN Known Russian Business Network IP UDP (177) (emerging-rbn.rules) 2406354 - ET RBN Known Russian Business Network IP TCP (178) (emerging-rbn.rules) 2406355 - ET RBN Known Russian Business Network IP UDP (178) (emerging-rbn.rules) 2406356 - ET RBN Known Russian Business Network IP TCP (179) (emerging-rbn.rules) 2406357 - ET RBN Known Russian Business Network IP UDP (179) (emerging-rbn.rules) 2406358 - ET RBN Known Russian Business Network IP TCP (180) (emerging-rbn.rules) 2406359 - ET RBN Known Russian Business Network IP UDP (180) (emerging-rbn.rules) 2406360 - ET RBN Known Russian Business Network IP TCP (181) (emerging-rbn.rules) 2406361 - ET RBN Known Russian Business Network IP UDP (181) (emerging-rbn.rules) 2406362 - ET RBN Known Russian Business Network IP TCP (182) (emerging-rbn.rules) 2406363 - ET RBN Known Russian Business Network IP UDP (182) (emerging-rbn.rules) 2406364 - ET RBN Known Russian Business Network IP TCP (183) (emerging-rbn.rules) 2406365 - ET RBN Known Russian Business Network IP UDP (183) (emerging-rbn.rules) 2406366 - ET RBN Known Russian Business Network IP TCP (184) (emerging-rbn.rules) 2406367 - ET RBN Known Russian Business Network IP UDP (184) (emerging-rbn.rules) 2406368 - ET RBN Known Russian Business Network IP TCP (185) (emerging-rbn.rules) 2406369 - ET RBN Known Russian Business Network IP UDP (185) (emerging-rbn.rules) 2406370 - ET RBN Known Russian Business Network IP TCP (186) (emerging-rbn.rules) 2406371 - ET RBN Known Russian Business Network IP UDP (186) (emerging-rbn.rules) 2406372 - ET RBN Known Russian Business Network IP TCP (187) (emerging-rbn.rules) 2406373 - ET RBN Known Russian Business Network IP UDP (187) (emerging-rbn.rules) 2406374 - ET RBN Known Russian Business Network IP TCP (188) (emerging-rbn.rules) 2406375 - ET RBN Known Russian Business Network IP UDP (188) (emerging-rbn.rules) 2406376 - ET RBN Known Russian Business Network IP TCP (189) (emerging-rbn.rules) 2406377 - ET RBN Known Russian Business Network IP UDP (189) (emerging-rbn.rules) 2406378 - ET RBN Known Russian Business Network IP TCP (190) (emerging-rbn.rules) 2406379 - ET RBN Known Russian Business Network IP UDP (190) (emerging-rbn.rules) 2406380 - ET RBN Known Russian Business Network IP TCP (191) (emerging-rbn.rules) 2406381 - ET RBN Known Russian Business Network IP UDP (191) (emerging-rbn.rules) 2406382 - ET RBN Known Russian Business Network IP TCP (192) (emerging-rbn.rules) 2406383 - ET RBN Known Russian Business Network IP UDP (192) (emerging-rbn.rules) 2406384 - ET RBN Known Russian Business Network IP TCP (193) (emerging-rbn.rules) 2406385 - ET RBN Known Russian Business Network IP UDP (193) (emerging-rbn.rules) 2406386 - ET RBN Known Russian Business Network IP TCP (194) (emerging-rbn.rules) 2406387 - ET RBN Known Russian Business Network IP UDP (194) (emerging-rbn.rules) 2406388 - ET RBN Known Russian Business Network IP TCP (195) (emerging-rbn.rules) 2406389 - ET RBN Known Russian Business Network IP UDP (195) (emerging-rbn.rules) 2406390 - ET RBN Known Russian Business Network IP TCP (196) (emerging-rbn.rules) 2406391 - ET RBN Known Russian Business Network IP UDP (196) (emerging-rbn.rules) 2406392 - ET RBN Known Russian Business Network IP TCP (197) (emerging-rbn.rules) 2406393 - ET RBN Known Russian Business Network IP UDP (197) (emerging-rbn.rules) 2406394 - ET RBN Known Russian Business Network IP TCP (198) (emerging-rbn.rules) 2406395 - ET RBN Known Russian Business Network IP UDP (198) (emerging-rbn.rules) 2406396 - ET RBN Known Russian Business Network IP TCP (199) (emerging-rbn.rules) 2406397 - ET RBN Known Russian Business Network IP UDP (199) (emerging-rbn.rules) 2406398 - ET RBN Known Russian Business Network IP TCP (200) (emerging-rbn.rules) 2406399 - ET RBN Known Russian Business Network IP UDP (200) (emerging-rbn.rules) 2406400 - ET RBN Known Russian Business Network IP TCP (201) (emerging-rbn.rules) 2406401 - ET RBN Known Russian Business Network IP UDP (201) (emerging-rbn.rules) 2406402 - ET RBN Known Russian Business Network IP TCP (202) (emerging-rbn.rules) 2406403 - ET RBN Known Russian Business Network IP UDP (202) (emerging-rbn.rules) 2406404 - ET RBN Known Russian Business Network IP TCP (203) (emerging-rbn.rules) 2406405 - ET RBN Known Russian Business Network IP UDP (203) (emerging-rbn.rules) 2406406 - ET RBN Known Russian Business Network IP TCP (204) (emerging-rbn.rules) 2406407 - ET RBN Known Russian Business Network IP UDP (204) (emerging-rbn.rules) 2406408 - ET RBN Known Russian Business Network IP TCP (205) (emerging-rbn.rules) 2406409 - ET RBN Known Russian Business Network IP UDP (205) (emerging-rbn.rules) 2406410 - ET RBN Known Russian Business Network IP TCP (206) (emerging-rbn.rules) 2406411 - ET RBN Known Russian Business Network IP UDP (206) (emerging-rbn.rules) 2406412 - ET RBN Known Russian Business Network IP TCP (207) (emerging-rbn.rules) 2406413 - ET RBN Known Russian Business Network IP UDP (207) (emerging-rbn.rules) 2406414 - ET RBN Known Russian Business Network IP TCP (208) (emerging-rbn.rules) 2406415 - ET RBN Known Russian Business Network IP UDP (208) (emerging-rbn.rules) 2406416 - ET RBN Known Russian Business Network IP TCP (209) (emerging-rbn.rules) 2406417 - ET RBN Known Russian Business Network IP UDP (209) (emerging-rbn.rules) 2406418 - ET RBN Known Russian Business Network IP TCP (210) (emerging-rbn.rules) 2406419 - ET RBN Known Russian Business Network IP UDP (210) (emerging-rbn.rules) 2406420 - ET RBN Known Russian Business Network IP TCP (211) (emerging-rbn.rules) 2406421 - ET RBN Known Russian Business Network IP UDP (211) (emerging-rbn.rules) 2406422 - ET RBN Known Russian Business Network IP TCP (212) (emerging-rbn.rules) 2406423 - ET RBN Known Russian Business Network IP UDP (212) (emerging-rbn.rules) 2406424 - ET RBN Known Russian Business Network IP TCP (213) (emerging-rbn.rules) 2406425 - ET RBN Known Russian Business Network IP UDP (213) (emerging-rbn.rules) 2406426 - ET RBN Known Russian Business Network IP TCP (214) (emerging-rbn.rules) 2406427 - ET RBN Known Russian Business Network IP UDP (214) (emerging-rbn.rules) 2406428 - ET RBN Known Russian Business Network IP TCP (215) (emerging-rbn.rules) 2406429 - ET RBN Known Russian Business Network IP UDP (215) (emerging-rbn.rules) 2406430 - ET RBN Known Russian Business Network IP TCP (216) (emerging-rbn.rules) 2406431 - ET RBN Known Russian Business Network IP UDP (216) (emerging-rbn.rules) 2406432 - ET RBN Known Russian Business Network IP TCP (217) (emerging-rbn.rules) 2406433 - ET RBN Known Russian Business Network IP UDP (217) (emerging-rbn.rules) 2406434 - ET RBN Known Russian Business Network IP TCP (218) (emerging-rbn.rules) 2406435 - ET RBN Known Russian Business Network IP UDP (218) (emerging-rbn.rules) 2406436 - ET RBN Known Russian Business Network IP TCP (219) (emerging-rbn.rules) 2406437 - ET RBN Known Russian Business Network IP UDP (219) (emerging-rbn.rules) 2406438 - ET RBN Known Russian Business Network IP TCP (220) (emerging-rbn.rules) 2406439 - ET RBN Known Russian Business Network IP UDP (220) (emerging-rbn.rules) 2406440 - ET RBN Known Russian Business Network IP TCP (221) (emerging-rbn.rules) 2406441 - ET RBN Known Russian Business Network IP UDP (221) (emerging-rbn.rules) 2406442 - ET RBN Known Russian Business Network IP TCP (222) (emerging-rbn.rules) 2406443 - ET RBN Known Russian Business Network IP UDP (222) (emerging-rbn.rules) 2406444 - ET RBN Known Russian Business Network IP TCP (223) (emerging-rbn.rules) 2406445 - ET RBN Known Russian Business Network IP UDP (223) (emerging-rbn.rules) 2406446 - ET RBN Known Russian Business Network IP TCP (224) (emerging-rbn.rules) 2406447 - ET RBN Known Russian Business Network IP UDP (224) (emerging-rbn.rules) 2406448 - ET RBN Known Russian Business Network IP TCP (225) (emerging-rbn.rules) 2406449 - ET RBN Known Russian Business Network IP UDP (225) (emerging-rbn.rules) 2406450 - ET RBN Known Russian Business Network IP TCP (226) (emerging-rbn.rules) 2406451 - ET RBN Known Russian Business Network IP UDP (226) (emerging-rbn.rules) 2406452 - ET RBN Known Russian Business Network IP TCP (227) (emerging-rbn.rules) 2406453 - ET RBN Known Russian Business Network IP UDP (227) (emerging-rbn.rules) 2406454 - ET RBN Known Russian Business Network IP TCP (228) (emerging-rbn.rules) 2406455 - ET RBN Known Russian Business Network IP UDP (228) (emerging-rbn.rules) 2406456 - ET RBN Known Russian Business Network IP TCP (229) (emerging-rbn.rules) 2406457 - ET RBN Known Russian Business Network IP UDP (229) (emerging-rbn.rules) 2406458 - ET RBN Known Russian Business Network IP TCP (230) (emerging-rbn.rules) 2406459 - ET RBN Known Russian Business Network IP UDP (230) (emerging-rbn.rules) 2406460 - ET RBN Known Russian Business Network IP TCP (231) (emerging-rbn.rules) 2406461 - ET RBN Known Russian Business Network IP UDP (231) (emerging-rbn.rules) 2406462 - ET RBN Known Russian Business Network IP TCP (232) (emerging-rbn.rules) 2406463 - ET RBN Known Russian Business Network IP UDP (232) (emerging-rbn.rules) 2406464 - ET RBN Known Russian Business Network IP TCP (233) (emerging-rbn.rules) 2406465 - ET RBN Known Russian Business Network IP UDP (233) (emerging-rbn.rules) 2406466 - ET RBN Known Russian Business Network IP TCP (234) (emerging-rbn.rules) 2406467 - ET RBN Known Russian Business Network IP UDP (234) (emerging-rbn.rules) 2406468 - ET RBN Known Russian Business Network IP TCP (235) (emerging-rbn.rules) 2406469 - ET RBN Known Russian Business Network IP UDP (235) (emerging-rbn.rules) 2406470 - ET RBN Known Russian Business Network IP TCP (236) (emerging-rbn.rules) 2406471 - ET RBN Known Russian Business Network IP UDP (236) (emerging-rbn.rules) 2406472 - ET RBN Known Russian Business Network IP TCP (237) (emerging-rbn.rules) 2406473 - ET RBN Known Russian Business Network IP UDP (237) (emerging-rbn.rules) 2406474 - ET RBN Known Russian Business Network IP TCP (238) (emerging-rbn.rules) 2406475 - ET RBN Known Russian Business Network IP UDP (238) (emerging-rbn.rules) 2406476 - ET RBN Known Russian Business Network IP TCP (239) (emerging-rbn.rules) 2406477 - ET RBN Known Russian Business Network IP UDP (239) (emerging-rbn.rules) 2406478 - ET RBN Known Russian Business Network IP TCP (240) (emerging-rbn.rules) 2406479 - ET RBN Known Russian Business Network IP UDP (240) (emerging-rbn.rules) 2406480 - ET RBN Known Russian Business Network IP TCP (241) (emerging-rbn.rules) 2406481 - ET RBN Known Russian Business Network IP UDP (241) (emerging-rbn.rules) 2406482 - ET RBN Known Russian Business Network IP TCP (242) (emerging-rbn.rules) 2406483 - ET RBN Known Russian Business Network IP UDP (242) (emerging-rbn.rules) 2406484 - ET RBN Known Russian Business Network IP TCP (243) (emerging-rbn.rules) 2406485 - ET RBN Known Russian Business Network IP UDP (243) (emerging-rbn.rules) 2406486 - ET RBN Known Russian Business Network IP TCP (244) (emerging-rbn.rules) 2406487 - ET RBN Known Russian Business Network IP UDP (244) (emerging-rbn.rules) 2406488 - ET RBN Known Russian Business Network IP TCP (245) (emerging-rbn.rules) 2406489 - ET RBN Known Russian Business Network IP UDP (245) (emerging-rbn.rules) 2406490 - ET RBN Known Russian Business Network IP TCP (246) (emerging-rbn.rules) 2406491 - ET RBN Known Russian Business Network IP UDP (246) (emerging-rbn.rules) 2406492 - ET RBN Known Russian Business Network IP TCP (247) (emerging-rbn.rules) 2406493 - ET RBN Known Russian Business Network IP UDP (247) (emerging-rbn.rules) 2406494 - ET RBN Known Russian Business Network IP TCP (248) (emerging-rbn.rules) 2406495 - ET RBN Known Russian Business Network IP UDP (248) (emerging-rbn.rules) 2406496 - ET RBN Known Russian Business Network IP TCP (249) (emerging-rbn.rules) 2406497 - ET RBN Known Russian Business Network IP UDP (249) (emerging-rbn.rules) 2406498 - ET RBN Known Russian Business Network IP TCP (250) (emerging-rbn.rules) 2406499 - ET RBN Known Russian Business Network IP UDP (250) (emerging-rbn.rules) 2406500 - ET RBN Known Russian Business Network IP TCP (251) (emerging-rbn.rules) 2406501 - ET RBN Known Russian Business Network IP UDP (251) (emerging-rbn.rules) 2406502 - ET RBN Known Russian Business Network IP TCP (252) (emerging-rbn.rules) 2406503 - ET RBN Known Russian Business Network IP UDP (252) (emerging-rbn.rules) 2406504 - ET RBN Known Russian Business Network IP TCP (253) (emerging-rbn.rules) 2406505 - ET RBN Known Russian Business Network IP UDP (253) (emerging-rbn.rules) 2406506 - ET RBN Known Russian Business Network IP TCP (254) (emerging-rbn.rules) 2406507 - ET RBN Known Russian Business Network IP UDP (254) (emerging-rbn.rules) 2406508 - ET RBN Known Russian Business Network IP TCP (255) (emerging-rbn.rules) 2406509 - ET RBN Known Russian Business Network IP UDP (255) (emerging-rbn.rules) 2406510 - ET RBN Known Russian Business Network IP TCP (256) (emerging-rbn.rules) 2406511 - ET RBN Known Russian Business Network IP UDP (256) (emerging-rbn.rules) 2406512 - ET RBN Known Russian Business Network IP TCP (257) (emerging-rbn.rules) 2406513 - ET RBN Known Russian Business Network IP UDP (257) (emerging-rbn.rules) 2406514 - ET RBN Known Russian Business Network IP TCP (258) (emerging-rbn.rules) 2406515 - ET RBN Known Russian Business Network IP UDP (258) (emerging-rbn.rules) 2406516 - ET RBN Known Russian Business Network IP TCP (259) (emerging-rbn.rules) 2406517 - ET RBN Known Russian Business Network IP UDP (259) (emerging-rbn.rules) 2406518 - ET RBN Known Russian Business Network IP TCP (260) (emerging-rbn.rules) 2406519 - ET RBN Known Russian Business Network IP UDP (260) (emerging-rbn.rules) 2406520 - ET RBN Known Russian Business Network IP TCP (261) (emerging-rbn.rules) 2406521 - ET RBN Known Russian Business Network IP UDP (261) (emerging-rbn.rules) 2406522 - ET RBN Known Russian Business Network IP TCP (262) (emerging-rbn.rules) 2406523 - ET RBN Known Russian Business Network IP UDP (262) (emerging-rbn.rules) 2406524 - ET RBN Known Russian Business Network IP TCP (263) (emerging-rbn.rules) 2406525 - ET RBN Known Russian Business Network IP UDP (263) (emerging-rbn.rules) 2406526 - ET RBN Known Russian Business Network IP TCP (264) (emerging-rbn.rules) 2406527 - ET RBN Known Russian Business Network IP UDP (264) (emerging-rbn.rules) 2406528 - ET RBN Known Russian Business Network IP TCP (265) (emerging-rbn.rules) 2406529 - ET RBN Known Russian Business Network IP UDP (265) (emerging-rbn.rules) 2406530 - ET RBN Known Russian Business Network IP TCP (266) (emerging-rbn.rules) 2406531 - ET RBN Known Russian Business Network IP UDP (266) (emerging-rbn.rules) 2406532 - ET RBN Known Russian Business Network IP TCP (267) (emerging-rbn.rules) 2406533 - ET RBN Known Russian Business Network IP UDP (267) (emerging-rbn.rules) 2406534 - ET RBN Known Russian Business Network IP TCP (268) (emerging-rbn.rules) 2406535 - ET RBN Known Russian Business Network IP UDP (268) (emerging-rbn.rules) 2406536 - ET RBN Known Russian Business Network IP TCP (269) (emerging-rbn.rules) 2406537 - ET RBN Known Russian Business Network IP UDP (269) (emerging-rbn.rules) 2406538 - ET RBN Known Russian Business Network IP TCP (270) (emerging-rbn.rules) 2406539 - ET RBN Known Russian Business Network IP UDP (270) (emerging-rbn.rules) 2406540 - ET RBN Known Russian Business Network IP TCP (271) (emerging-rbn.rules) 2406541 - ET RBN Known Russian Business Network IP UDP (271) (emerging-rbn.rules) 2406542 - ET RBN Known Russian Business Network IP TCP (272) (emerging-rbn.rules) 2406543 - ET RBN Known Russian Business Network IP UDP (272) (emerging-rbn.rules) 2406544 - ET RBN Known Russian Business Network IP TCP (273) (emerging-rbn.rules) 2406545 - ET RBN Known Russian Business Network IP UDP (273) (emerging-rbn.rules) 2406546 - ET RBN Known Russian Business Network IP TCP (274) (emerging-rbn.rules) 2406547 - ET RBN Known Russian Business Network IP UDP (274) (emerging-rbn.rules) 2406548 - ET RBN Known Russian Business Network IP TCP (275) (emerging-rbn.rules) 2406549 - ET RBN Known Russian Business Network IP UDP (275) (emerging-rbn.rules) 2406550 - ET RBN Known Russian Business Network IP TCP (276) (emerging-rbn.rules) 2406551 - ET RBN Known Russian Business Network IP UDP (276) (emerging-rbn.rules) 2406552 - ET RBN Known Russian Business Network IP TCP (277) (emerging-rbn.rules) 2406553 - ET RBN Known Russian Business Network IP UDP (277) (emerging-rbn.rules) 2406554 - ET RBN Known Russian Business Network IP TCP (278) (emerging-rbn.rules) 2406555 - ET RBN Known Russian Business Network IP UDP (278) (emerging-rbn.rules) 2406556 - ET RBN Known Russian Business Network IP TCP (279) (emerging-rbn.rules) 2406557 - ET RBN Known Russian Business Network IP UDP (279) (emerging-rbn.rules) 2406558 - ET RBN Known Russian Business Network IP TCP (280) (emerging-rbn.rules) 2406559 - ET RBN Known Russian Business Network IP UDP (280) (emerging-rbn.rules) 2406560 - ET RBN Known Russian Business Network IP TCP (281) (emerging-rbn.rules) 2406561 - ET RBN Known Russian Business Network IP UDP (281) (emerging-rbn.rules) 2406562 - ET RBN Known Russian Business Network IP TCP (282) (emerging-rbn.rules) 2406563 - ET RBN Known Russian Business Network IP UDP (282) (emerging-rbn.rules) 2406564 - ET RBN Known Russian Business Network IP TCP (283) (emerging-rbn.rules) 2406565 - ET RBN Known Russian Business Network IP UDP (283) (emerging-rbn.rules) 2406566 - ET RBN Known Russian Business Network IP TCP (284) (emerging-rbn.rules) 2406567 - ET RBN Known Russian Business Network IP UDP (284) (emerging-rbn.rules) 2406568 - ET RBN Known Russian Business Network IP TCP (285) (emerging-rbn.rules) 2406569 - ET RBN Known Russian Business Network IP UDP (285) (emerging-rbn.rules) 2406570 - ET RBN Known Russian Business Network IP TCP (286) (emerging-rbn.rules) 2406571 - ET RBN Known Russian Business Network IP UDP (286) (emerging-rbn.rules) 2406572 - ET RBN Known Russian Business Network IP TCP (287) (emerging-rbn.rules) 2406573 - ET RBN Known Russian Business Network IP UDP (287) (emerging-rbn.rules) 2406574 - ET RBN Known Russian Business Network IP TCP (288) (emerging-rbn.rules) 2406575 - ET RBN Known Russian Business Network IP UDP (288) (emerging-rbn.rules) 2406576 - ET RBN Known Russian Business Network IP TCP (289) (emerging-rbn.rules) 2406577 - ET RBN Known Russian Business Network IP UDP (289) (emerging-rbn.rules) 2406578 - ET RBN Known Russian Business Network IP TCP (290) (emerging-rbn.rules) 2406579 - ET RBN Known Russian Business Network IP UDP (290) (emerging-rbn.rules) 2406580 - ET RBN Known Russian Business Network IP TCP (291) (emerging-rbn.rules) 2406581 - ET RBN Known Russian Business Network IP UDP (291) (emerging-rbn.rules) 2406582 - ET RBN Known Russian Business Network IP TCP (292) (emerging-rbn.rules) 2406583 - ET RBN Known Russian Business Network IP UDP (292) (emerging-rbn.rules) 2406584 - ET RBN Known Russian Business Network IP TCP (293) (emerging-rbn.rules) 2406585 - ET RBN Known Russian Business Network IP UDP (293) (emerging-rbn.rules) 2406586 - ET RBN Known Russian Business Network IP TCP (294) (emerging-rbn.rules) 2406587 - ET RBN Known Russian Business Network IP UDP (294) (emerging-rbn.rules) 2406588 - ET RBN Known Russian Business Network IP TCP (295) (emerging-rbn.rules) 2406589 - ET RBN Known Russian Business Network IP UDP (295) (emerging-rbn.rules) 2406590 - ET RBN Known Russian Business Network IP TCP (296) (emerging-rbn.rules) 2406591 - ET RBN Known Russian Business Network IP UDP (296) (emerging-rbn.rules) 2406592 - ET RBN Known Russian Business Network IP TCP (297) (emerging-rbn.rules) 2406593 - ET RBN Known Russian Business Network IP UDP (297) (emerging-rbn.rules) 2406594 - ET RBN Known Russian Business Network IP TCP (298) (emerging-rbn.rules) 2406595 - ET RBN Known Russian Business Network IP UDP (298) (emerging-rbn.rules) 2406596 - ET RBN Known Russian Business Network IP TCP (299) (emerging-rbn.rules) 2406597 - ET RBN Known Russian Business Network IP UDP (299) (emerging-rbn.rules) 2406598 - ET RBN Known Russian Business Network IP TCP (300) (emerging-rbn.rules) 2406599 - ET RBN Known Russian Business Network IP UDP (300) (emerging-rbn.rules) 2406600 - ET RBN Known Russian Business Network IP TCP (301) (emerging-rbn.rules) 2406601 - ET RBN Known Russian Business Network IP UDP (301) (emerging-rbn.rules) 2406602 - ET RBN Known Russian Business Network IP TCP (302) (emerging-rbn.rules) 2406603 - ET RBN Known Russian Business Network IP UDP (302) (emerging-rbn.rules) 2406604 - ET RBN Known Russian Business Network IP TCP (303) (emerging-rbn.rules) 2406605 - ET RBN Known Russian Business Network IP UDP (303) (emerging-rbn.rules) 2406606 - ET RBN Known Russian Business Network IP TCP (304) (emerging-rbn.rules) 2406607 - ET RBN Known Russian Business Network IP UDP (304) (emerging-rbn.rules) 2406608 - ET RBN Known Russian Business Network IP TCP (305) (emerging-rbn.rules) 2406609 - ET RBN Known Russian Business Network IP UDP (305) (emerging-rbn.rules) 2406610 - ET RBN Known Russian Business Network IP TCP (306) (emerging-rbn.rules) 2406611 - ET RBN Known Russian Business Network IP UDP (306) (emerging-rbn.rules) 2406612 - ET RBN Known Russian Business Network IP TCP (307) (emerging-rbn.rules) 2406613 - ET RBN Known Russian Business Network IP UDP (307) (emerging-rbn.rules) 2406614 - ET RBN Known Russian Business Network IP TCP (308) (emerging-rbn.rules) 2406615 - ET RBN Known Russian Business Network IP UDP (308) (emerging-rbn.rules) 2406616 - ET RBN Known Russian Business Network IP TCP (309) (emerging-rbn.rules) 2406617 - ET RBN Known Russian Business Network IP UDP (309) (emerging-rbn.rules) 2406618 - ET RBN Known Russian Business Network IP TCP (310) (emerging-rbn.rules) 2406619 - ET RBN Known Russian Business Network IP UDP (310) (emerging-rbn.rules) 2406620 - ET RBN Known Russian Business Network IP TCP (311) (emerging-rbn.rules) 2406621 - ET RBN Known Russian Business Network IP UDP (311) (emerging-rbn.rules) 2406622 - ET RBN Known Russian Business Network IP TCP (312) (emerging-rbn.rules) 2406623 - ET RBN Known Russian Business Network IP UDP (312) (emerging-rbn.rules) 2406624 - ET RBN Known Russian Business Network IP TCP (313) (emerging-rbn.rules) 2406625 - ET RBN Known Russian Business Network IP UDP (313) (emerging-rbn.rules) 2406626 - ET RBN Known Russian Business Network IP TCP (314) (emerging-rbn.rules) 2406627 - ET RBN Known Russian Business Network IP UDP (314) (emerging-rbn.rules) 2406628 - ET RBN Known Russian Business Network IP TCP (315) (emerging-rbn.rules) 2406629 - ET RBN Known Russian Business Network IP UDP (315) (emerging-rbn.rules) 2406630 - ET RBN Known Russian Business Network IP TCP (316) (emerging-rbn.rules) 2406631 - ET RBN Known Russian Business Network IP UDP (316) (emerging-rbn.rules) 2406632 - ET RBN Known Russian Business Network IP TCP (317) (emerging-rbn.rules) 2406633 - ET RBN Known Russian Business Network IP UDP (317) (emerging-rbn.rules) 2406634 - ET RBN Known Russian Business Network IP TCP (318) (emerging-rbn.rules) 2406635 - ET RBN Known Russian Business Network IP UDP (318) (emerging-rbn.rules) 2406636 - ET RBN Known Russian Business Network IP TCP (319) (emerging-rbn.rules) 2406637 - ET RBN Known Russian Business Network IP UDP (319) (emerging-rbn.rules) 2406638 - ET RBN Known Russian Business Network IP TCP (320) (emerging-rbn.rules) 2406639 - ET RBN Known Russian Business Network IP UDP (320) (emerging-rbn.rules) 2406640 - ET RBN Known Russian Business Network IP TCP (321) (emerging-rbn.rules) 2406641 - ET RBN Known Russian Business Network IP UDP (321) (emerging-rbn.rules) 2406642 - ET RBN Known Russian Business Network IP TCP (322) (emerging-rbn.rules) 2406643 - ET RBN Known Russian Business Network IP UDP (322) (emerging-rbn.rules) 2406644 - ET RBN Known Russian Business Network IP TCP (323) (emerging-rbn.rules) 2406645 - ET RBN Known Russian Business Network IP UDP (323) (emerging-rbn.rules) 2406646 - ET RBN Known Russian Business Network IP TCP (324) (emerging-rbn.rules) 2406647 - ET RBN Known Russian Business Network IP UDP (324) (emerging-rbn.rules) 2406648 - ET RBN Known Russian Business Network IP TCP (325) (emerging-rbn.rules) 2406649 - ET RBN Known Russian Business Network IP UDP (325) (emerging-rbn.rules) 2406650 - ET RBN Known Russian Business Network IP TCP (326) (emerging-rbn.rules) 2406651 - ET RBN Known Russian Business Network IP UDP (326) (emerging-rbn.rules) 2406652 - ET RBN Known Russian Business Network IP TCP (327) (emerging-rbn.rules) 2406653 - ET RBN Known Russian Business Network IP UDP (327) (emerging-rbn.rules) 2406654 - ET RBN Known Russian Business Network IP TCP (328) (emerging-rbn.rules) 2406655 - ET RBN Known Russian Business Network IP UDP (328) (emerging-rbn.rules) 2406656 - ET RBN Known Russian Business Network IP TCP (329) (emerging-rbn.rules) 2406657 - ET RBN Known Russian Business Network IP UDP (329) (emerging-rbn.rules) 2406658 - ET RBN Known Russian Business Network IP TCP (330) (emerging-rbn.rules) 2406659 - ET RBN Known Russian Business Network IP UDP (330) (emerging-rbn.rules) 2406660 - ET RBN Known Russian Business Network IP TCP (331) (emerging-rbn.rules) 2406661 - ET RBN Known Russian Business Network IP UDP (331) (emerging-rbn.rules) 2406662 - ET RBN Known Russian Business Network IP TCP (332) (emerging-rbn.rules) 2406663 - ET RBN Known Russian Business Network IP UDP (332) (emerging-rbn.rules) 2406664 - ET RBN Known Russian Business Network IP TCP (333) (emerging-rbn.rules) 2406665 - ET RBN Known Russian Business Network IP UDP (333) (emerging-rbn.rules) 2406666 - ET RBN Known Russian Business Network IP TCP (334) (emerging-rbn.rules) 2406667 - ET RBN Known Russian Business Network IP UDP (334) (emerging-rbn.rules) 2406668 - ET RBN Known Russian Business Network IP TCP (335) (emerging-rbn.rules) 2406669 - ET RBN Known Russian Business Network IP UDP (335) (emerging-rbn.rules) 2406670 - ET RBN Known Russian Business Network IP TCP (336) (emerging-rbn.rules) 2406671 - ET RBN Known Russian Business Network IP UDP (336) (emerging-rbn.rules) 2406672 - ET RBN Known Russian Business Network IP TCP (337) (emerging-rbn.rules) 2406673 - ET RBN Known Russian Business Network IP UDP (337) (emerging-rbn.rules) 2406674 - ET RBN Known Russian Business Network IP TCP (338) (emerging-rbn.rules) 2406675 - ET RBN Known Russian Business Network IP UDP (338) (emerging-rbn.rules) 2406676 - ET RBN Known Russian Business Network IP TCP (339) (emerging-rbn.rules) 2406677 - ET RBN Known Russian Business Network IP UDP (339) (emerging-rbn.rules) 2406678 - ET RBN Known Russian Business Network IP TCP (340) (emerging-rbn.rules) 2406679 - ET RBN Known Russian Business Network IP UDP (340) (emerging-rbn.rules) 2406680 - ET RBN Known Russian Business Network IP TCP (341) (emerging-rbn.rules) 2406681 - ET RBN Known Russian Business Network IP UDP (341) (emerging-rbn.rules) 2406682 - ET RBN Known Russian Business Network IP TCP (342) (emerging-rbn.rules) 2406683 - ET RBN Known Russian Business Network IP UDP (342) (emerging-rbn.rules) 2406684 - ET RBN Known Russian Business Network IP TCP (343) (emerging-rbn.rules) 2406685 - ET RBN Known Russian Business Network IP UDP (343) (emerging-rbn.rules) 2406686 - ET RBN Known Russian Business Network IP TCP (344) (emerging-rbn.rules) 2406687 - ET RBN Known Russian Business Network IP UDP (344) (emerging-rbn.rules) 2406688 - ET RBN Known Russian Business Network IP TCP (345) (emerging-rbn.rules) 2406689 - ET RBN Known Russian Business Network IP UDP (345) (emerging-rbn.rules) 2406690 - ET RBN Known Russian Business Network IP TCP (346) (emerging-rbn.rules) 2406691 - ET RBN Known Russian Business Network IP UDP (346) (emerging-rbn.rules) 2406692 - ET RBN Known Russian Business Network IP TCP (347) (emerging-rbn.rules) 2406693 - ET RBN Known Russian Business Network IP UDP (347) (emerging-rbn.rules) 2406694 - ET RBN Known Russian Business Network IP TCP (348) (emerging-rbn.rules) 2406695 - ET RBN Known Russian Business Network IP UDP (348) (emerging-rbn.rules) 2406696 - ET RBN Known Russian Business Network IP TCP (349) (emerging-rbn.rules) 2406697 - ET RBN Known Russian Business Network IP UDP (349) (emerging-rbn.rules) 2406698 - ET RBN Known Russian Business Network IP TCP (350) (emerging-rbn.rules) 2406699 - ET RBN Known Russian Business Network IP UDP (350) (emerging-rbn.rules) 2406700 - ET RBN Known Russian Business Network IP TCP (351) (emerging-rbn.rules) 2406701 - ET RBN Known Russian Business Network IP UDP (351) (emerging-rbn.rules) 2406702 - ET RBN Known Russian Business Network IP TCP (352) (emerging-rbn.rules) 2406703 - ET RBN Known Russian Business Network IP UDP (352) (emerging-rbn.rules) 2406704 - ET RBN Known Russian Business Network IP TCP (353) (emerging-rbn.rules) 2406705 - ET RBN Known Russian Business Network IP UDP (353) (emerging-rbn.rules) 2406706 - ET RBN Known Russian Business Network IP TCP (354) (emerging-rbn.rules) 2406707 - ET RBN Known Russian Business Network IP UDP (354) (emerging-rbn.rules) 2406708 - ET RBN Known Russian Business Network IP TCP (355) (emerging-rbn.rules) 2406709 - ET RBN Known Russian Business Network IP UDP (355) (emerging-rbn.rules) 2406710 - ET RBN Known Russian Business Network IP TCP (356) (emerging-rbn.rules) 2406711 - ET RBN Known Russian Business Network IP UDP (356) (emerging-rbn.rules) 2406712 - ET RBN Known Russian Business Network IP TCP (357) (emerging-rbn.rules) 2406713 - ET RBN Known Russian Business Network IP UDP (357) (emerging-rbn.rules) 2406714 - ET RBN Known Russian Business Network IP TCP (358) (emerging-rbn.rules) 2406715 - ET RBN Known Russian Business Network IP UDP (358) (emerging-rbn.rules) 2406716 - ET RBN Known Russian Business Network IP TCP (359) (emerging-rbn.rules) 2406717 - ET RBN Known Russian Business Network IP UDP (359) (emerging-rbn.rules) 2406718 - ET RBN Known Russian Business Network IP TCP (360) (emerging-rbn.rules) 2406719 - ET RBN Known Russian Business Network IP UDP (360) (emerging-rbn.rules) 2406720 - ET RBN Known Russian Business Network IP TCP (361) (emerging-rbn.rules) 2406721 - ET RBN Known Russian Business Network IP UDP (361) (emerging-rbn.rules) 2406722 - ET RBN Known Russian Business Network IP TCP (362) (emerging-rbn.rules) 2406723 - ET RBN Known Russian Business Network IP UDP (362) (emerging-rbn.rules) 2406724 - ET RBN Known Russian Business Network IP TCP (363) (emerging-rbn.rules) 2406725 - ET RBN Known Russian Business Network IP UDP (363) (emerging-rbn.rules) 2406726 - ET RBN Known Russian Business Network IP TCP (364) (emerging-rbn.rules) 2406727 - ET RBN Known Russian Business Network IP UDP (364) (emerging-rbn.rules) 2406728 - ET RBN Known Russian Business Network IP TCP (365) (emerging-rbn.rules) 2406729 - ET RBN Known Russian Business Network IP UDP (365) (emerging-rbn.rules) 2406730 - ET RBN Known Russian Business Network IP TCP (366) (emerging-rbn.rules) 2406731 - ET RBN Known Russian Business Network IP UDP (366) (emerging-rbn.rules) 2406732 - ET RBN Known Russian Business Network IP TCP (367) (emerging-rbn.rules) 2406733 - ET RBN Known Russian Business Network IP UDP (367) (emerging-rbn.rules) 2406734 - ET RBN Known Russian Business Network IP TCP (368) (emerging-rbn.rules) 2406735 - ET RBN Known Russian Business Network IP UDP (368) (emerging-rbn.rules) 2406736 - ET RBN Known Russian Business Network IP TCP (369) (emerging-rbn.rules) 2406737 - ET RBN Known Russian Business Network IP UDP (369) (emerging-rbn.rules) 2406738 - ET RBN Known Russian Business Network IP TCP (370) (emerging-rbn.rules) 2406739 - ET RBN Known Russian Business Network IP UDP (370) (emerging-rbn.rules) 2406740 - ET RBN Known Russian Business Network IP TCP (371) (emerging-rbn.rules) 2406741 - ET RBN Known Russian Business Network IP UDP (371) (emerging-rbn.rules) 2406742 - ET RBN Known Russian Business Network IP TCP (372) (emerging-rbn.rules) 2406743 - ET RBN Known Russian Business Network IP UDP (372) (emerging-rbn.rules) 2406744 - ET RBN Known Russian Business Network IP TCP (373) (emerging-rbn.rules) 2406745 - ET RBN Known Russian Business Network IP UDP (373) (emerging-rbn.rules) 2406746 - ET RBN Known Russian Business Network IP TCP (374) (emerging-rbn.rules) 2406747 - ET RBN Known Russian Business Network IP UDP (374) (emerging-rbn.rules) 2406748 - ET RBN Known Russian Business Network IP TCP (375) (emerging-rbn.rules) 2406749 - ET RBN Known Russian Business Network IP UDP (375) (emerging-rbn.rules) 2406750 - ET RBN Known Russian Business Network IP TCP (376) (emerging-rbn.rules) 2406751 - ET RBN Known Russian Business Network IP UDP (376) (emerging-rbn.rules) 2406752 - ET RBN Known Russian Business Network IP TCP (377) (emerging-rbn.rules) 2406753 - ET RBN Known Russian Business Network IP UDP (377) (emerging-rbn.rules) 2406754 - ET RBN Known Russian Business Network IP TCP (378) (emerging-rbn.rules) 2406755 - ET RBN Known Russian Business Network IP UDP (378) (emerging-rbn.rules) 2406756 - ET RBN Known Russian Business Network IP TCP (379) (emerging-rbn.rules) 2406757 - ET RBN Known Russian Business Network IP UDP (379) (emerging-rbn.rules) 2406758 - ET RBN Known Russian Business Network IP TCP (380) (emerging-rbn.rules) 2406759 - ET RBN Known Russian Business Network IP UDP (380) (emerging-rbn.rules) 2406760 - ET RBN Known Russian Business Network IP TCP (381) (emerging-rbn.rules) 2406761 - ET RBN Known Russian Business Network IP UDP (381) (emerging-rbn.rules) 2406762 - ET RBN Known Russian Business Network IP TCP (382) (emerging-rbn.rules) 2406763 - ET RBN Known Russian Business Network IP UDP (382) (emerging-rbn.rules) 2406764 - ET RBN Known Russian Business Network IP TCP (383) (emerging-rbn.rules) 2406765 - ET RBN Known Russian Business Network IP UDP (383) (emerging-rbn.rules) 2406766 - ET RBN Known Russian Business Network IP TCP (384) (emerging-rbn.rules) 2406767 - ET RBN Known Russian Business Network IP UDP (384) (emerging-rbn.rules) 2406768 - ET RBN Known Russian Business Network IP TCP (385) (emerging-rbn.rules) 2406769 - ET RBN Known Russian Business Network IP UDP (385) (emerging-rbn.rules) 2406770 - ET RBN Known Russian Business Network IP TCP (386) (emerging-rbn.rules) 2406771 - ET RBN Known Russian Business Network IP UDP (386) (emerging-rbn.rules) 2406772 - ET RBN Known Russian Business Network IP TCP (387) (emerging-rbn.rules) 2406773 - ET RBN Known Russian Business Network IP UDP (387) (emerging-rbn.rules) 2406774 - ET RBN Known Russian Business Network IP TCP (388) (emerging-rbn.rules) 2406775 - ET RBN Known Russian Business Network IP UDP (388) (emerging-rbn.rules) 2406776 - ET RBN Known Russian Business Network IP TCP (389) (emerging-rbn.rules) 2406777 - ET RBN Known Russian Business Network IP UDP (389) (emerging-rbn.rules) 2406778 - ET RBN Known Russian Business Network IP TCP (390) (emerging-rbn.rules) 2406779 - ET RBN Known Russian Business Network IP UDP (390) (emerging-rbn.rules) 2406780 - ET RBN Known Russian Business Network IP TCP (391) (emerging-rbn.rules) 2406781 - ET RBN Known Russian Business Network IP UDP (391) (emerging-rbn.rules) 2406782 - ET RBN Known Russian Business Network IP TCP (392) (emerging-rbn.rules) 2406783 - ET RBN Known Russian Business Network IP UDP (392) (emerging-rbn.rules) 2406784 - ET RBN Known Russian Business Network IP TCP (393) (emerging-rbn.rules) 2406785 - ET RBN Known Russian Business Network IP UDP (393) (emerging-rbn.rules) 2406786 - ET RBN Known Russian Business Network IP TCP (394) (emerging-rbn.rules) 2406787 - ET RBN Known Russian Business Network IP UDP (394) (emerging-rbn.rules) 2406788 - ET RBN Known Russian Business Network IP TCP (395) (emerging-rbn.rules) 2406789 - ET RBN Known Russian Business Network IP UDP (395) (emerging-rbn.rules) 2406790 - ET RBN Known Russian Business Network IP TCP (396) (emerging-rbn.rules) 2406791 - ET RBN Known Russian Business Network IP UDP (396) (emerging-rbn.rules) 2406792 - ET RBN Known Russian Business Network IP TCP (397) (emerging-rbn.rules) 2406793 - ET RBN Known Russian Business Network IP UDP (397) (emerging-rbn.rules) 2406794 - ET RBN Known Russian Business Network IP TCP (398) (emerging-rbn.rules) 2406795 - ET RBN Known Russian Business Network IP UDP (398) (emerging-rbn.rules) 2406796 - ET RBN Known Russian Business Network IP TCP (399) (emerging-rbn.rules) 2406797 - ET RBN Known Russian Business Network IP UDP (399) (emerging-rbn.rules) 2406798 - ET RBN Known Russian Business Network IP TCP (400) (emerging-rbn.rules) 2406799 - ET RBN Known Russian Business Network IP UDP (400) (emerging-rbn.rules) 2406800 - ET RBN Known Russian Business Network IP TCP (401) (emerging-rbn.rules) 2406801 - ET RBN Known Russian Business Network IP UDP (401) (emerging-rbn.rules) 2406802 - ET RBN Known Russian Business Network IP TCP (402) (emerging-rbn.rules) 2406803 - ET RBN Known Russian Business Network IP UDP (402) (emerging-rbn.rules) 2406804 - ET RBN Known Russian Business Network IP TCP (403) (emerging-rbn.rules) 2406805 - ET RBN Known Russian Business Network IP UDP (403) (emerging-rbn.rules) 2406806 - ET RBN Known Russian Business Network IP TCP (404) (emerging-rbn.rules) 2406807 - ET RBN Known Russian Business Network IP UDP (404) (emerging-rbn.rules) 2406808 - ET RBN Known Russian Business Network IP TCP (405) (emerging-rbn.rules) 2406809 - ET RBN Known Russian Business Network IP UDP (405) (emerging-rbn.rules) 2406810 - ET RBN Known Russian Business Network IP TCP (406) (emerging-rbn.rules) 2406811 - ET RBN Known Russian Business Network IP UDP (406) (emerging-rbn.rules) 2406812 - ET RBN Known Russian Business Network IP TCP (407) (emerging-rbn.rules) 2406813 - ET RBN Known Russian Business Network IP UDP (407) (emerging-rbn.rules) 2406814 - ET RBN Known Russian Business Network IP TCP (408) (emerging-rbn.rules) 2406815 - ET RBN Known Russian Business Network IP UDP (408) (emerging-rbn.rules) 2406816 - ET RBN Known Russian Business Network IP TCP (409) (emerging-rbn.rules) 2406817 - ET RBN Known Russian Business Network IP UDP (409) (emerging-rbn.rules) 2406818 - ET RBN Known Russian Business Network IP TCP (410) (emerging-rbn.rules) 2406819 - ET RBN Known Russian Business Network IP UDP (410) (emerging-rbn.rules) 2406820 - ET RBN Known Russian Business Network IP TCP (411) (emerging-rbn.rules) 2406821 - ET RBN Known Russian Business Network IP UDP (411) (emerging-rbn.rules) 2406822 - ET RBN Known Russian Business Network IP TCP (412) (emerging-rbn.rules) 2406823 - ET RBN Known Russian Business Network IP UDP (412) (emerging-rbn.rules) 2406824 - ET RBN Known Russian Business Network IP TCP (413) (emerging-rbn.rules) 2406825 - ET RBN Known Russian Business Network IP UDP (413) (emerging-rbn.rules) 2406826 - ET RBN Known Russian Business Network IP TCP (414) (emerging-rbn.rules) 2406827 - ET RBN Known Russian Business Network IP UDP (414) (emerging-rbn.rules) 2406828 - ET RBN Known Russian Business Network IP TCP (415) (emerging-rbn.rules) 2406829 - ET RBN Known Russian Business Network IP UDP (415) (emerging-rbn.rules) 2406830 - ET RBN Known Russian Business Network IP TCP (416) (emerging-rbn.rules) 2406831 - ET RBN Known Russian Business Network IP UDP (416) (emerging-rbn.rules) 2406832 - ET RBN Known Russian Business Network IP TCP (417) (emerging-rbn.rules) 2406833 - ET RBN Known Russian Business Network IP UDP (417) (emerging-rbn.rules) 2406834 - ET RBN Known Russian Business Network IP TCP (418) (emerging-rbn.rules) 2406835 - ET RBN Known Russian Business Network IP UDP (418) (emerging-rbn.rules) 2406836 - ET RBN Known Russian Business Network IP TCP (419) (emerging-rbn.rules) 2406837 - ET RBN Known Russian Business Network IP UDP (419) (emerging-rbn.rules) 2406838 - ET RBN Known Russian Business Network IP TCP (420) (emerging-rbn.rules) 2406839 - ET RBN Known Russian Business Network IP UDP (420) (emerging-rbn.rules) 2406840 - ET RBN Known Russian Business Network IP TCP (421) (emerging-rbn.rules) 2406841 - ET RBN Known Russian Business Network IP UDP (421) (emerging-rbn.rules) 2406842 - ET RBN Known Russian Business Network IP TCP (422) (emerging-rbn.rules) 2406843 - ET RBN Known Russian Business Network IP UDP (422) (emerging-rbn.rules) 2406844 - ET RBN Known Russian Business Network IP TCP (423) (emerging-rbn.rules) 2406845 - ET RBN Known Russian Business Network IP UDP (423) (emerging-rbn.rules) 2406846 - ET RBN Known Russian Business Network IP TCP (424) (emerging-rbn.rules) 2406847 - ET RBN Known Russian Business Network IP UDP (424) (emerging-rbn.rules) 2406848 - ET RBN Known Russian Business Network IP TCP (425) (emerging-rbn.rules) 2406849 - ET RBN Known Russian Business Network IP UDP (425) (emerging-rbn.rules) 2406850 - ET RBN Known Russian Business Network IP TCP (426) (emerging-rbn.rules) 2406851 - ET RBN Known Russian Business Network IP UDP (426) (emerging-rbn.rules) 2406852 - ET RBN Known Russian Business Network IP TCP (427) (emerging-rbn.rules) 2406853 - ET RBN Known Russian Business Network IP UDP (427) (emerging-rbn.rules) 2406854 - ET RBN Known Russian Business Network IP TCP (428) (emerging-rbn.rules) 2406855 - ET RBN Known Russian Business Network IP UDP (428) (emerging-rbn.rules) 2406856 - ET RBN Known Russian Business Network IP TCP (429) (emerging-rbn.rules) 2406857 - ET RBN Known Russian Business Network IP UDP (429) (emerging-rbn.rules) 2406858 - ET RBN Known Russian Business Network IP TCP (430) (emerging-rbn.rules) 2406859 - ET RBN Known Russian Business Network IP UDP (430) (emerging-rbn.rules) 2406860 - ET RBN Known Russian Business Network IP TCP (431) (emerging-rbn.rules) 2406861 - ET RBN Known Russian Business Network IP UDP (431) (emerging-rbn.rules) 2406862 - ET RBN Known Russian Business Network IP TCP (432) (emerging-rbn.rules) 2406863 - ET RBN Known Russian Business Network IP UDP (432) (emerging-rbn.rules) 2406864 - ET RBN Known Russian Business Network IP TCP (433) (emerging-rbn.rules) 2406865 - ET RBN Known Russian Business Network IP UDP (433) (emerging-rbn.rules) 2406866 - ET RBN Known Russian Business Network IP TCP (434) (emerging-rbn.rules) 2406867 - ET RBN Known Russian Business Network IP UDP (434) (emerging-rbn.rules) 2406868 - ET RBN Known Russian Business Network IP TCP (435) (emerging-rbn.rules) 2406869 - ET RBN Known Russian Business Network IP UDP (435) (emerging-rbn.rules) 2406870 - ET RBN Known Russian Business Network IP TCP (436) (emerging-rbn.rules) 2406871 - ET RBN Known Russian Business Network IP UDP (436) (emerging-rbn.rules) 2406872 - ET RBN Known Russian Business Network IP TCP (437) (emerging-rbn.rules) 2406873 - ET RBN Known Russian Business Network IP UDP (437) (emerging-rbn.rules) 2406874 - ET RBN Known Russian Business Network IP TCP (438) (emerging-rbn.rules) 2406875 - ET RBN Known Russian Business Network IP UDP (438) (emerging-rbn.rules) 2406876 - ET RBN Known Russian Business Network IP TCP (439) (emerging-rbn.rules) 2406877 - ET RBN Known Russian Business Network IP UDP (439) (emerging-rbn.rules) 2406878 - ET RBN Known Russian Business Network IP TCP (440) (emerging-rbn.rules) 2406879 - ET RBN Known Russian Business Network IP UDP (440) (emerging-rbn.rules) 2406880 - ET RBN Known Russian Business Network IP TCP (441) (emerging-rbn.rules) 2406881 - ET RBN Known Russian Business Network IP UDP (441) (emerging-rbn.rules) 2406882 - ET RBN Known Russian Business Network IP TCP (442) (emerging-rbn.rules) 2406883 - ET RBN Known Russian Business Network IP UDP (442) (emerging-rbn.rules) 2406884 - ET RBN Known Russian Business Network IP TCP (443) (emerging-rbn.rules) 2406885 - ET RBN Known Russian Business Network IP UDP (443) (emerging-rbn.rules) 2406886 - ET RBN Known Russian Business Network IP TCP (444) (emerging-rbn.rules) 2406887 - ET RBN Known Russian Business Network IP UDP (444) (emerging-rbn.rules) 2406888 - ET RBN Known Russian Business Network IP TCP (445) (emerging-rbn.rules) 2406889 - ET RBN Known Russian Business Network IP UDP (445) (emerging-rbn.rules) 2406890 - ET RBN Known Russian Business Network IP TCP (446) (emerging-rbn.rules) 2406891 - ET RBN Known Russian Business Network IP UDP (446) (emerging-rbn.rules) 2406892 - ET RBN Known Russian Business Network IP TCP (447) (emerging-rbn.rules) 2406893 - ET RBN Known Russian Business Network IP UDP (447) (emerging-rbn.rules) 2406894 - ET RBN Known Russian Business Network IP TCP (448) (emerging-rbn.rules) 2406895 - ET RBN Known Russian Business Network IP UDP (448) (emerging-rbn.rules) 2406896 - ET RBN Known Russian Business Network IP TCP (449) (emerging-rbn.rules) 2406897 - ET RBN Known Russian Business Network IP UDP (449) (emerging-rbn.rules) 2406898 - ET RBN Known Russian Business Network IP TCP (450) (emerging-rbn.rules) 2406899 - ET RBN Known Russian Business Network IP UDP (450) (emerging-rbn.rules) 2406900 - ET RBN Known Russian Business Network IP TCP (451) (emerging-rbn.rules) 2406901 - ET RBN Known Russian Business Network IP UDP (451) (emerging-rbn.rules) 2406902 - ET RBN Known Russian Business Network IP TCP (452) (emerging-rbn.rules) 2406903 - ET RBN Known Russian Business Network IP UDP (452) (emerging-rbn.rules) 2406904 - ET RBN Known Russian Business Network IP TCP (453) (emerging-rbn.rules) 2406905 - ET RBN Known Russian Business Network IP UDP (453) (emerging-rbn.rules) 2406906 - ET RBN Known Russian Business Network IP TCP (454) (emerging-rbn.rules) 2406907 - ET RBN Known Russian Business Network IP UDP (454) (emerging-rbn.rules) 2406908 - ET RBN Known Russian Business Network IP TCP (455) (emerging-rbn.rules) 2406909 - ET RBN Known Russian Business Network IP UDP (455) (emerging-rbn.rules) 2406910 - ET RBN Known Russian Business Network IP TCP (456) (emerging-rbn.rules) 2406911 - ET RBN Known Russian Business Network IP UDP (456) (emerging-rbn.rules) 2406912 - ET RBN Known Russian Business Network IP TCP (457) (emerging-rbn.rules) 2406913 - ET RBN Known Russian Business Network IP UDP (457) (emerging-rbn.rules) 2406914 - ET RBN Known Russian Business Network IP TCP (458) (emerging-rbn.rules) 2406915 - ET RBN Known Russian Business Network IP UDP (458) (emerging-rbn.rules) 2406916 - ET RBN Known Russian Business Network IP TCP (459) (emerging-rbn.rules) 2406917 - ET RBN Known Russian Business Network IP UDP (459) (emerging-rbn.rules) 2406918 - ET RBN Known Russian Business Network IP TCP (460) (emerging-rbn.rules) 2406919 - ET RBN Known Russian Business Network IP UDP (460) (emerging-rbn.rules) 2406920 - ET RBN Known Russian Business Network IP TCP (461) (emerging-rbn.rules) 2406921 - ET RBN Known Russian Business Network IP UDP (461) (emerging-rbn.rules) 2406922 - ET RBN Known Russian Business Network IP TCP (462) (emerging-rbn.rules) 2406923 - ET RBN Known Russian Business Network IP UDP (462) (emerging-rbn.rules) 2406924 - ET RBN Known Russian Business Network IP TCP (463) (emerging-rbn.rules) 2406925 - ET RBN Known Russian Business Network IP UDP (463) (emerging-rbn.rules) 2406926 - ET RBN Known Russian Business Network IP TCP (464) (emerging-rbn.rules) 2406927 - ET RBN Known Russian Business Network IP UDP (464) (emerging-rbn.rules) 2406928 - ET RBN Known Russian Business Network IP TCP (465) (emerging-rbn.rules) 2406929 - ET RBN Known Russian Business Network IP UDP (465) (emerging-rbn.rules) 2406930 - ET RBN Known Russian Business Network IP TCP (466) (emerging-rbn.rules) 2406931 - ET RBN Known Russian Business Network IP UDP (466) (emerging-rbn.rules) 2406932 - ET RBN Known Russian Business Network IP TCP (467) (emerging-rbn.rules) 2406933 - ET RBN Known Russian Business Network IP UDP (467) (emerging-rbn.rules) 2406934 - ET RBN Known Russian Business Network IP TCP (468) (emerging-rbn.rules) 2406935 - ET RBN Known Russian Business Network IP UDP (468) (emerging-rbn.rules) 2406936 - ET RBN Known Russian Business Network IP TCP (469) (emerging-rbn.rules) 2406937 - ET RBN Known Russian Business Network IP UDP (469) (emerging-rbn.rules) 2406938 - ET RBN Known Russian Business Network IP TCP (470) (emerging-rbn.rules) 2406939 - ET RBN Known Russian Business Network IP UDP (470) (emerging-rbn.rules) 2406940 - ET RBN Known Russian Business Network IP TCP (471) (emerging-rbn.rules) 2406941 - ET RBN Known Russian Business Network IP UDP (471) (emerging-rbn.rules) 2406942 - ET RBN Known Russian Business Network IP TCP (472) (emerging-rbn.rules) 2406943 - ET RBN Known Russian Business Network IP UDP (472) (emerging-rbn.rules) 2406944 - ET RBN Known Russian Business Network IP TCP (473) (emerging-rbn.rules) 2406945 - ET RBN Known Russian Business Network IP UDP (473) (emerging-rbn.rules) 2406946 - ET RBN Known Russian Business Network IP TCP (474) (emerging-rbn.rules) 2406947 - ET RBN Known Russian Business Network IP UDP (474) (emerging-rbn.rules) 2406948 - ET RBN Known Russian Business Network IP TCP (475) (emerging-rbn.rules) 2406949 - ET RBN Known Russian Business Network IP UDP (475) (emerging-rbn.rules) 2406950 - ET RBN Known Russian Business Network IP TCP (476) (emerging-rbn.rules) 2406951 - ET RBN Known Russian Business Network IP UDP (476) (emerging-rbn.rules) 2406952 - ET RBN Known Russian Business Network IP TCP (477) (emerging-rbn.rules) 2406953 - ET RBN Known Russian Business Network IP UDP (477) (emerging-rbn.rules) 2406954 - ET RBN Known Russian Business Network IP TCP (478) (emerging-rbn.rules) 2406955 - ET RBN Known Russian Business Network IP UDP (478) (emerging-rbn.rules) 2406956 - ET RBN Known Russian Business Network IP TCP (479) (emerging-rbn.rules) 2406957 - ET RBN Known Russian Business Network IP UDP (479) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network IP TCP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network IP UDP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network IP TCP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network IP UDP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network IP TCP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network IP UDP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network IP TCP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network IP UDP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network IP TCP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network IP UDP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network IP TCP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network IP UDP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network IP TCP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network IP UDP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network IP TCP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network IP UDP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network IP TCP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network IP UDP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network IP TCP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network IP UDP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network IP TCP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network IP UDP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network IP TCP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network IP UDP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network IP TCP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network IP UDP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network IP TCP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network IP UDP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network IP TCP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network IP UDP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network IP TCP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network IP UDP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network IP TCP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network IP UDP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network IP TCP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network IP UDP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network IP TCP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network IP UDP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network IP TCP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network IP UDP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network IP TCP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network IP UDP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network IP TCP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network IP UDP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network IP TCP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network IP UDP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network IP TCP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network IP UDP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network IP TCP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network IP UDP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network IP TCP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network IP UDP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network IP TCP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network IP UDP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network IP TCP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network IP UDP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network IP TCP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network IP UDP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network IP TCP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network IP UDP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network IP TCP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network IP UDP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network IP TCP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network IP UDP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network IP TCP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network IP UDP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network IP TCP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network IP UDP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network IP TCP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network IP UDP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network IP TCP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network IP UDP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network IP TCP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network IP UDP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network IP TCP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network IP UDP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network IP TCP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network IP UDP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network IP TCP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network IP UDP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network IP TCP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network IP UDP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network IP TCP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network IP UDP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network IP TCP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network IP UDP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network IP TCP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network IP UDP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network IP TCP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network IP UDP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network IP TCP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network IP UDP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network IP TCP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network IP UDP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network IP TCP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network IP UDP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network IP TCP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network IP UDP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network IP TCP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network IP UDP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network IP TCP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network IP UDP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network IP TCP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network IP UDP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network IP TCP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network IP UDP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network IP TCP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network IP UDP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network IP TCP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network IP UDP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network IP TCP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network IP UDP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network IP TCP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network IP UDP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network IP TCP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network IP UDP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network IP TCP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network IP UDP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network IP TCP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network IP UDP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network IP TCP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network IP UDP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network IP TCP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network IP UDP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network IP TCP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network IP UDP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network IP TCP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network IP UDP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network IP TCP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network IP UDP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network IP TCP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network IP UDP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network IP TCP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network IP UDP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network IP TCP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network IP UDP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network IP TCP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network IP UDP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network IP TCP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network IP UDP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network IP TCP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network IP UDP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network IP TCP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network IP UDP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network IP TCP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network IP UDP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network IP TCP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network IP UDP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network IP TCP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network IP UDP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network IP TCP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network IP UDP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network IP TCP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network IP UDP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network IP TCP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network IP UDP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network IP TCP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network IP UDP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network IP TCP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network IP UDP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network IP TCP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network IP UDP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network IP TCP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network IP UDP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network IP TCP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network IP UDP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network IP TCP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network IP UDP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network IP TCP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network IP UDP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network IP TCP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network IP UDP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network IP TCP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network IP UDP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network IP TCP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network IP UDP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network IP TCP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network IP UDP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network IP TCP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network IP UDP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network IP TCP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network IP UDP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network IP TCP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network IP UDP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network IP TCP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network IP UDP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network IP TCP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network IP UDP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network IP TCP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network IP UDP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network IP TCP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network IP UDP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network IP TCP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network IP UDP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network IP TCP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network IP UDP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network IP TCP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network IP UDP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network IP TCP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network IP UDP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network IP TCP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network IP UDP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network IP TCP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network IP UDP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network IP TCP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network IP UDP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network IP TCP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network IP UDP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network IP TCP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network IP UDP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network IP TCP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network IP UDP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network IP TCP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network IP UDP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network IP TCP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network IP UDP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network IP TCP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network IP UDP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network IP TCP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network IP UDP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network IP TCP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network IP UDP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network IP TCP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network IP UDP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network IP TCP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network IP UDP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network IP TCP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network IP UDP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network IP TCP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network IP UDP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network IP TCP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network IP UDP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network IP TCP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network IP UDP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network IP TCP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network IP UDP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network IP TCP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network IP UDP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network IP TCP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network IP UDP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network IP TCP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network IP UDP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network IP TCP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network IP UDP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network IP TCP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network IP UDP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network IP TCP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network IP UDP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network IP TCP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network IP UDP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network IP TCP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network IP UDP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network IP TCP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network IP UDP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network IP TCP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network IP UDP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network IP TCP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network IP UDP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network IP TCP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network IP UDP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network IP TCP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network IP UDP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network IP TCP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network IP UDP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network IP TCP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network IP UDP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network IP TCP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network IP UDP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network IP TCP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network IP UDP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network IP TCP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network IP UDP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network IP TCP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network IP UDP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network IP TCP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network IP UDP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network IP TCP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network IP UDP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network IP TCP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network IP UDP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network IP TCP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network IP UDP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network IP TCP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network IP UDP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network IP TCP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network IP UDP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network IP TCP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network IP UDP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network IP TCP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network IP UDP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network IP TCP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network IP UDP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network IP TCP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network IP UDP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network IP TCP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network IP UDP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network IP TCP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network IP UDP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network IP TCP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network IP UDP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network IP TCP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network IP UDP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network IP TCP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network IP UDP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network IP TCP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network IP UDP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network IP TCP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network IP UDP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network IP TCP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network IP UDP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network IP TCP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network IP UDP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network IP TCP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network IP UDP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network IP TCP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network IP UDP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network IP TCP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407317 - ET RBN Known Russian Business Network IP UDP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407318 - ET RBN Known Russian Business Network IP TCP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407319 - ET RBN Known Russian Business Network IP UDP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407320 - ET RBN Known Russian Business Network IP TCP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407321 - ET RBN Known Russian Business Network IP UDP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407322 - ET RBN Known Russian Business Network IP TCP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407323 - ET RBN Known Russian Business Network IP UDP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407324 - ET RBN Known Russian Business Network IP TCP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407325 - ET RBN Known Russian Business Network IP UDP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407326 - ET RBN Known Russian Business Network IP TCP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407327 - ET RBN Known Russian Business Network IP UDP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407328 - ET RBN Known Russian Business Network IP TCP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407329 - ET RBN Known Russian Business Network IP UDP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407330 - ET RBN Known Russian Business Network IP TCP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407331 - ET RBN Known Russian Business Network IP UDP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407332 - ET RBN Known Russian Business Network IP TCP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407333 - ET RBN Known Russian Business Network IP UDP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407334 - ET RBN Known Russian Business Network IP TCP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407335 - ET RBN Known Russian Business Network IP UDP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407336 - ET RBN Known Russian Business Network IP TCP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407337 - ET RBN Known Russian Business Network IP UDP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407338 - ET RBN Known Russian Business Network IP TCP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407339 - ET RBN Known Russian Business Network IP UDP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407340 - ET RBN Known Russian Business Network IP TCP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407341 - ET RBN Known Russian Business Network IP UDP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407342 - ET RBN Known Russian Business Network IP TCP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407343 - ET RBN Known Russian Business Network IP UDP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407344 - ET RBN Known Russian Business Network IP TCP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407345 - ET RBN Known Russian Business Network IP UDP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407346 - ET RBN Known Russian Business Network IP TCP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407347 - ET RBN Known Russian Business Network IP UDP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407348 - ET RBN Known Russian Business Network IP TCP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407349 - ET RBN Known Russian Business Network IP UDP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407350 - ET RBN Known Russian Business Network IP TCP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407351 - ET RBN Known Russian Business Network IP UDP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407352 - ET RBN Known Russian Business Network IP TCP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407353 - ET RBN Known Russian Business Network IP UDP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407354 - ET RBN Known Russian Business Network IP TCP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407355 - ET RBN Known Russian Business Network IP UDP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407356 - ET RBN Known Russian Business Network IP TCP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407357 - ET RBN Known Russian Business Network IP UDP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407358 - ET RBN Known Russian Business Network IP TCP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407359 - ET RBN Known Russian Business Network IP UDP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407360 - ET RBN Known Russian Business Network IP TCP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407361 - ET RBN Known Russian Business Network IP UDP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407362 - ET RBN Known Russian Business Network IP TCP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407363 - ET RBN Known Russian Business Network IP UDP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407364 - ET RBN Known Russian Business Network IP TCP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407365 - ET RBN Known Russian Business Network IP UDP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407366 - ET RBN Known Russian Business Network IP TCP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407367 - ET RBN Known Russian Business Network IP UDP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407368 - ET RBN Known Russian Business Network IP TCP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407369 - ET RBN Known Russian Business Network IP UDP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407370 - ET RBN Known Russian Business Network IP TCP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407371 - ET RBN Known Russian Business Network IP UDP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407372 - ET RBN Known Russian Business Network IP TCP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407373 - ET RBN Known Russian Business Network IP UDP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407374 - ET RBN Known Russian Business Network IP TCP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407375 - ET RBN Known Russian Business Network IP UDP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407376 - ET RBN Known Russian Business Network IP TCP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407377 - ET RBN Known Russian Business Network IP UDP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407378 - ET RBN Known Russian Business Network IP TCP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407379 - ET RBN Known Russian Business Network IP UDP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407380 - ET RBN Known Russian Business Network IP TCP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407381 - ET RBN Known Russian Business Network IP UDP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407382 - ET RBN Known Russian Business Network IP TCP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407383 - ET RBN Known Russian Business Network IP UDP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407384 - ET RBN Known Russian Business Network IP TCP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407385 - ET RBN Known Russian Business Network IP UDP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407386 - ET RBN Known Russian Business Network IP TCP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407387 - ET RBN Known Russian Business Network IP UDP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407388 - ET RBN Known Russian Business Network IP TCP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407389 - ET RBN Known Russian Business Network IP UDP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407390 - ET RBN Known Russian Business Network IP TCP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407391 - ET RBN Known Russian Business Network IP UDP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407392 - ET RBN Known Russian Business Network IP TCP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407393 - ET RBN Known Russian Business Network IP UDP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407394 - ET RBN Known Russian Business Network IP TCP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407395 - ET RBN Known Russian Business Network IP UDP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407396 - ET RBN Known Russian Business Network IP TCP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407397 - ET RBN Known Russian Business Network IP UDP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407398 - ET RBN Known Russian Business Network IP TCP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407399 - ET RBN Known Russian Business Network IP UDP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407400 - ET RBN Known Russian Business Network IP TCP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407401 - ET RBN Known Russian Business Network IP UDP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407402 - ET RBN Known Russian Business Network IP TCP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407403 - ET RBN Known Russian Business Network IP UDP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407404 - ET RBN Known Russian Business Network IP TCP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407405 - ET RBN Known Russian Business Network IP UDP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407406 - ET RBN Known Russian Business Network IP TCP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407407 - ET RBN Known Russian Business Network IP UDP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407408 - ET RBN Known Russian Business Network IP TCP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407409 - ET RBN Known Russian Business Network IP UDP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407410 - ET RBN Known Russian Business Network IP TCP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407411 - ET RBN Known Russian Business Network IP UDP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407412 - ET RBN Known Russian Business Network IP TCP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407413 - ET RBN Known Russian Business Network IP UDP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407414 - ET RBN Known Russian Business Network IP TCP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407415 - ET RBN Known Russian Business Network IP UDP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407416 - ET RBN Known Russian Business Network IP TCP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407417 - ET RBN Known Russian Business Network IP UDP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407418 - ET RBN Known Russian Business Network IP TCP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407419 - ET RBN Known Russian Business Network IP UDP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407420 - ET RBN Known Russian Business Network IP TCP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407421 - ET RBN Known Russian Business Network IP UDP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407422 - ET RBN Known Russian Business Network IP TCP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407423 - ET RBN Known Russian Business Network IP UDP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407424 - ET RBN Known Russian Business Network IP TCP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407425 - ET RBN Known Russian Business Network IP UDP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407426 - ET RBN Known Russian Business Network IP TCP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407427 - ET RBN Known Russian Business Network IP UDP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407428 - ET RBN Known Russian Business Network IP TCP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407429 - ET RBN Known Russian Business Network IP UDP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407430 - ET RBN Known Russian Business Network IP TCP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407431 - ET RBN Known Russian Business Network IP UDP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407432 - ET RBN Known Russian Business Network IP TCP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407433 - ET RBN Known Russian Business Network IP UDP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407434 - ET RBN Known Russian Business Network IP TCP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407435 - ET RBN Known Russian Business Network IP UDP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407436 - ET RBN Known Russian Business Network IP TCP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407437 - ET RBN Known Russian Business Network IP UDP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407438 - ET RBN Known Russian Business Network IP TCP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407439 - ET RBN Known Russian Business Network IP UDP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407440 - ET RBN Known Russian Business Network IP TCP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407441 - ET RBN Known Russian Business Network IP UDP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407442 - ET RBN Known Russian Business Network IP TCP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407443 - ET RBN Known Russian Business Network IP UDP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407444 - ET RBN Known Russian Business Network IP TCP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407445 - ET RBN Known Russian Business Network IP UDP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407446 - ET RBN Known Russian Business Network IP TCP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407447 - ET RBN Known Russian Business Network IP UDP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407448 - ET RBN Known Russian Business Network IP TCP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407449 - ET RBN Known Russian Business Network IP UDP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407450 - ET RBN Known Russian Business Network IP TCP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407451 - ET RBN Known Russian Business Network IP UDP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407452 - ET RBN Known Russian Business Network IP TCP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407453 - ET RBN Known Russian Business Network IP UDP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407454 - ET RBN Known Russian Business Network IP TCP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407455 - ET RBN Known Russian Business Network IP UDP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407456 - ET RBN Known Russian Business Network IP TCP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407457 - ET RBN Known Russian Business Network IP UDP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407458 - ET RBN Known Russian Business Network IP TCP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407459 - ET RBN Known Russian Business Network IP UDP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407460 - ET RBN Known Russian Business Network IP TCP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407461 - ET RBN Known Russian Business Network IP UDP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407462 - ET RBN Known Russian Business Network IP TCP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407463 - ET RBN Known Russian Business Network IP UDP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407464 - ET RBN Known Russian Business Network IP TCP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407465 - ET RBN Known Russian Business Network IP UDP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407466 - ET RBN Known Russian Business Network IP TCP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407467 - ET RBN Known Russian Business Network IP UDP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407468 - ET RBN Known Russian Business Network IP TCP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407469 - ET RBN Known Russian Business Network IP UDP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407470 - ET RBN Known Russian Business Network IP TCP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407471 - ET RBN Known Russian Business Network IP UDP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407472 - ET RBN Known Russian Business Network IP TCP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407473 - ET RBN Known Russian Business Network IP UDP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407474 - ET RBN Known Russian Business Network IP TCP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407475 - ET RBN Known Russian Business Network IP UDP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407476 - ET RBN Known Russian Business Network IP TCP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407477 - ET RBN Known Russian Business Network IP UDP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407478 - ET RBN Known Russian Business Network IP TCP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407479 - ET RBN Known Russian Business Network IP UDP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407480 - ET RBN Known Russian Business Network IP TCP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407481 - ET RBN Known Russian Business Network IP UDP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407482 - ET RBN Known Russian Business Network IP TCP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407483 - ET RBN Known Russian Business Network IP UDP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407484 - ET RBN Known Russian Business Network IP TCP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407485 - ET RBN Known Russian Business Network IP UDP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407486 - ET RBN Known Russian Business Network IP TCP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407487 - ET RBN Known Russian Business Network IP UDP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407488 - ET RBN Known Russian Business Network IP TCP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407489 - ET RBN Known Russian Business Network IP UDP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407490 - ET RBN Known Russian Business Network IP TCP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407491 - ET RBN Known Russian Business Network IP UDP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407492 - ET RBN Known Russian Business Network IP TCP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407493 - ET RBN Known Russian Business Network IP UDP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407494 - ET RBN Known Russian Business Network IP TCP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407495 - ET RBN Known Russian Business Network IP UDP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407496 - ET RBN Known Russian Business Network IP TCP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407497 - ET RBN Known Russian Business Network IP UDP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407498 - ET RBN Known Russian Business Network IP TCP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407499 - ET RBN Known Russian Business Network IP UDP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407500 - ET RBN Known Russian Business Network IP TCP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407501 - ET RBN Known Russian Business Network IP UDP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407502 - ET RBN Known Russian Business Network IP TCP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407503 - ET RBN Known Russian Business Network IP UDP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407504 - ET RBN Known Russian Business Network IP TCP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407505 - ET RBN Known Russian Business Network IP UDP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407506 - ET RBN Known Russian Business Network IP TCP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407507 - ET RBN Known Russian Business Network IP UDP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407508 - ET RBN Known Russian Business Network IP TCP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407509 - ET RBN Known Russian Business Network IP UDP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407510 - ET RBN Known Russian Business Network IP TCP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407511 - ET RBN Known Russian Business Network IP UDP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407512 - ET RBN Known Russian Business Network IP TCP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407513 - ET RBN Known Russian Business Network IP UDP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407514 - ET RBN Known Russian Business Network IP TCP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407515 - ET RBN Known Russian Business Network IP UDP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407516 - ET RBN Known Russian Business Network IP TCP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407517 - ET RBN Known Russian Business Network IP UDP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407518 - ET RBN Known Russian Business Network IP TCP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407519 - ET RBN Known Russian Business Network IP UDP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407520 - ET RBN Known Russian Business Network IP TCP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407521 - ET RBN Known Russian Business Network IP UDP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407522 - ET RBN Known Russian Business Network IP TCP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407523 - ET RBN Known Russian Business Network IP UDP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407524 - ET RBN Known Russian Business Network IP TCP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407525 - ET RBN Known Russian Business Network IP UDP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407526 - ET RBN Known Russian Business Network IP TCP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407527 - ET RBN Known Russian Business Network IP UDP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407528 - ET RBN Known Russian Business Network IP TCP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407529 - ET RBN Known Russian Business Network IP UDP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407530 - ET RBN Known Russian Business Network IP TCP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407531 - ET RBN Known Russian Business Network IP UDP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407532 - ET RBN Known Russian Business Network IP TCP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407533 - ET RBN Known Russian Business Network IP UDP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407534 - ET RBN Known Russian Business Network IP TCP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407535 - ET RBN Known Russian Business Network IP UDP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407536 - ET RBN Known Russian Business Network IP TCP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407537 - ET RBN Known Russian Business Network IP UDP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407538 - ET RBN Known Russian Business Network IP TCP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407539 - ET RBN Known Russian Business Network IP UDP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407540 - ET RBN Known Russian Business Network IP TCP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407541 - ET RBN Known Russian Business Network IP UDP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407542 - ET RBN Known Russian Business Network IP TCP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407543 - ET RBN Known Russian Business Network IP UDP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407544 - ET RBN Known Russian Business Network IP TCP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407545 - ET RBN Known Russian Business Network IP UDP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407546 - ET RBN Known Russian Business Network IP TCP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407547 - ET RBN Known Russian Business Network IP UDP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407548 - ET RBN Known Russian Business Network IP TCP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407549 - ET RBN Known Russian Business Network IP UDP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407550 - ET RBN Known Russian Business Network IP TCP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407551 - ET RBN Known Russian Business Network IP UDP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407552 - ET RBN Known Russian Business Network IP TCP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407553 - ET RBN Known Russian Business Network IP UDP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407554 - ET RBN Known Russian Business Network IP TCP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407555 - ET RBN Known Russian Business Network IP UDP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407556 - ET RBN Known Russian Business Network IP TCP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407557 - ET RBN Known Russian Business Network IP UDP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407558 - ET RBN Known Russian Business Network IP TCP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407559 - ET RBN Known Russian Business Network IP UDP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407560 - ET RBN Known Russian Business Network IP TCP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407561 - ET RBN Known Russian Business Network IP UDP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407562 - ET RBN Known Russian Business Network IP TCP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407563 - ET RBN Known Russian Business Network IP UDP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407564 - ET RBN Known Russian Business Network IP TCP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407565 - ET RBN Known Russian Business Network IP UDP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407566 - ET RBN Known Russian Business Network IP TCP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407567 - ET RBN Known Russian Business Network IP UDP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407568 - ET RBN Known Russian Business Network IP TCP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407569 - ET RBN Known Russian Business Network IP UDP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407570 - ET RBN Known Russian Business Network IP TCP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407571 - ET RBN Known Russian Business Network IP UDP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407572 - ET RBN Known Russian Business Network IP TCP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407573 - ET RBN Known Russian Business Network IP UDP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407574 - ET RBN Known Russian Business Network IP TCP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407575 - ET RBN Known Russian Business Network IP UDP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407576 - ET RBN Known Russian Business Network IP TCP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407577 - ET RBN Known Russian Business Network IP UDP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407578 - ET RBN Known Russian Business Network IP TCP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407579 - ET RBN Known Russian Business Network IP UDP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407580 - ET RBN Known Russian Business Network IP TCP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407581 - ET RBN Known Russian Business Network IP UDP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407582 - ET RBN Known Russian Business Network IP TCP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407583 - ET RBN Known Russian Business Network IP UDP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407584 - ET RBN Known Russian Business Network IP TCP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407585 - ET RBN Known Russian Business Network IP UDP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407586 - ET RBN Known Russian Business Network IP TCP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407587 - ET RBN Known Russian Business Network IP UDP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407588 - ET RBN Known Russian Business Network IP TCP - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407589 - ET RBN Known Russian Business Network IP UDP - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407590 - ET RBN Known Russian Business Network IP TCP - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407591 - ET RBN Known Russian Business Network IP UDP - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407592 - ET RBN Known Russian Business Network IP TCP - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407593 - ET RBN Known Russian Business Network IP UDP - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407594 - ET RBN Known Russian Business Network IP TCP - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407595 - ET RBN Known Russian Business Network IP UDP - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407596 - ET RBN Known Russian Business Network IP TCP - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407597 - ET RBN Known Russian Business Network IP UDP - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407598 - ET RBN Known Russian Business Network IP TCP - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407599 - ET RBN Known Russian Business Network IP UDP - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407600 - ET RBN Known Russian Business Network IP TCP - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407601 - ET RBN Known Russian Business Network IP UDP - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407602 - ET RBN Known Russian Business Network IP TCP - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407603 - ET RBN Known Russian Business Network IP UDP - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407604 - ET RBN Known Russian Business Network IP TCP - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407605 - ET RBN Known Russian Business Network IP UDP - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407606 - ET RBN Known Russian Business Network IP TCP - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407607 - ET RBN Known Russian Business Network IP UDP - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407608 - ET RBN Known Russian Business Network IP TCP - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407609 - ET RBN Known Russian Business Network IP UDP - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407610 - ET RBN Known Russian Business Network IP TCP - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407611 - ET RBN Known Russian Business Network IP UDP - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407612 - ET RBN Known Russian Business Network IP TCP - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407613 - ET RBN Known Russian Business Network IP UDP - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407614 - ET RBN Known Russian Business Network IP TCP - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407615 - ET RBN Known Russian Business Network IP UDP - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407616 - ET RBN Known Russian Business Network IP TCP - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407617 - ET RBN Known Russian Business Network IP UDP - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407618 - ET RBN Known Russian Business Network IP TCP - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407619 - ET RBN Known Russian Business Network IP UDP - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407620 - ET RBN Known Russian Business Network IP TCP - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407621 - ET RBN Known Russian Business Network IP UDP - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407622 - ET RBN Known Russian Business Network IP TCP - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407623 - ET RBN Known Russian Business Network IP UDP - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407624 - ET RBN Known Russian Business Network IP TCP - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407625 - ET RBN Known Russian Business Network IP UDP - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407626 - ET RBN Known Russian Business Network IP TCP - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407627 - ET RBN Known Russian Business Network IP UDP - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407628 - ET RBN Known Russian Business Network IP TCP - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407629 - ET RBN Known Russian Business Network IP UDP - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407630 - ET RBN Known Russian Business Network IP TCP - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407631 - ET RBN Known Russian Business Network IP UDP - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407632 - ET RBN Known Russian Business Network IP TCP - BLOCKING (317) (emerging-rbn-BLOCK.rules) 2407633 - ET RBN Known Russian Business Network IP UDP - BLOCKING (317) (emerging-rbn-BLOCK.rules) 2407634 - ET RBN Known Russian Business Network IP TCP - BLOCKING (318) (emerging-rbn-BLOCK.rules) 2407635 - ET RBN Known Russian Business Network IP UDP - BLOCKING (318) (emerging-rbn-BLOCK.rules) 2407636 - ET RBN Known Russian Business Network IP TCP - BLOCKING (319) (emerging-rbn-BLOCK.rules) 2407637 - ET RBN Known Russian Business Network IP UDP - BLOCKING (319) (emerging-rbn-BLOCK.rules) 2407638 - ET RBN Known Russian Business Network IP TCP - BLOCKING (320) (emerging-rbn-BLOCK.rules) 2407639 - ET RBN Known Russian Business Network IP UDP - BLOCKING (320) (emerging-rbn-BLOCK.rules) 2407640 - ET RBN Known Russian Business Network IP TCP - BLOCKING (321) (emerging-rbn-BLOCK.rules) 2407641 - ET RBN Known Russian Business Network IP UDP - BLOCKING (321) (emerging-rbn-BLOCK.rules) 2407642 - ET RBN Known Russian Business Network IP TCP - BLOCKING (322) (emerging-rbn-BLOCK.rules) 2407643 - ET RBN Known Russian Business Network IP UDP - BLOCKING (322) (emerging-rbn-BLOCK.rules) 2407644 - ET RBN Known Russian Business Network IP TCP - BLOCKING (323) (emerging-rbn-BLOCK.rules) 2407645 - ET RBN Known Russian Business Network IP UDP - BLOCKING (323) (emerging-rbn-BLOCK.rules) 2407646 - ET RBN Known Russian Business Network IP TCP - BLOCKING (324) (emerging-rbn-BLOCK.rules) 2407647 - ET RBN Known Russian Business Network IP UDP - BLOCKING (324) (emerging-rbn-BLOCK.rules) 2407648 - ET RBN Known Russian Business Network IP TCP - BLOCKING (325) (emerging-rbn-BLOCK.rules) 2407649 - ET RBN Known Russian Business Network IP UDP - BLOCKING (325) (emerging-rbn-BLOCK.rules) 2407650 - ET RBN Known Russian Business Network IP TCP - BLOCKING (326) (emerging-rbn-BLOCK.rules) 2407651 - ET RBN Known Russian Business Network IP UDP - BLOCKING (326) (emerging-rbn-BLOCK.rules) 2407652 - ET RBN Known Russian Business Network IP TCP - BLOCKING (327) (emerging-rbn-BLOCK.rules) 2407653 - ET RBN Known Russian Business Network IP UDP - BLOCKING (327) (emerging-rbn-BLOCK.rules) 2407654 - ET RBN Known Russian Business Network IP TCP - BLOCKING (328) (emerging-rbn-BLOCK.rules) 2407655 - ET RBN Known Russian Business Network IP UDP - BLOCKING (328) (emerging-rbn-BLOCK.rules) 2407656 - ET RBN Known Russian Business Network IP TCP - BLOCKING (329) (emerging-rbn-BLOCK.rules) 2407657 - ET RBN Known Russian Business Network IP UDP - BLOCKING (329) (emerging-rbn-BLOCK.rules) 2407658 - ET RBN Known Russian Business Network IP TCP - BLOCKING (330) (emerging-rbn-BLOCK.rules) 2407659 - ET RBN Known Russian Business Network IP UDP - BLOCKING (330) (emerging-rbn-BLOCK.rules) 2407660 - ET RBN Known Russian Business Network IP TCP - BLOCKING (331) (emerging-rbn-BLOCK.rules) 2407661 - ET RBN Known Russian Business Network IP UDP - BLOCKING (331) (emerging-rbn-BLOCK.rules) 2407662 - ET RBN Known Russian Business Network IP TCP - BLOCKING (332) (emerging-rbn-BLOCK.rules) 2407663 - ET RBN Known Russian Business Network IP UDP - BLOCKING (332) (emerging-rbn-BLOCK.rules) 2407664 - ET RBN Known Russian Business Network IP TCP - BLOCKING (333) (emerging-rbn-BLOCK.rules) 2407665 - ET RBN Known Russian Business Network IP UDP - BLOCKING (333) (emerging-rbn-BLOCK.rules) 2407666 - ET RBN Known Russian Business Network IP TCP - BLOCKING (334) (emerging-rbn-BLOCK.rules) 2407667 - ET RBN Known Russian Business Network IP UDP - BLOCKING (334) (emerging-rbn-BLOCK.rules) 2407668 - ET RBN Known Russian Business Network IP TCP - BLOCKING (335) (emerging-rbn-BLOCK.rules) 2407669 - ET RBN Known Russian Business Network IP UDP - BLOCKING (335) (emerging-rbn-BLOCK.rules) 2407670 - ET RBN Known Russian Business Network IP TCP - BLOCKING (336) (emerging-rbn-BLOCK.rules) 2407671 - ET RBN Known Russian Business Network IP UDP - BLOCKING (336) (emerging-rbn-BLOCK.rules) 2407672 - ET RBN Known Russian Business Network IP TCP - BLOCKING (337) (emerging-rbn-BLOCK.rules) 2407673 - ET RBN Known Russian Business Network IP UDP - BLOCKING (337) (emerging-rbn-BLOCK.rules) 2407674 - ET RBN Known Russian Business Network IP TCP - BLOCKING (338) (emerging-rbn-BLOCK.rules) 2407675 - ET RBN Known Russian Business Network IP UDP - BLOCKING (338) (emerging-rbn-BLOCK.rules) 2407676 - ET RBN Known Russian Business Network IP TCP - BLOCKING (339) (emerging-rbn-BLOCK.rules) 2407677 - ET RBN Known Russian Business Network IP UDP - BLOCKING (339) (emerging-rbn-BLOCK.rules) 2407678 - ET RBN Known Russian Business Network IP TCP - BLOCKING (340) (emerging-rbn-BLOCK.rules) 2407679 - ET RBN Known Russian Business Network IP UDP - BLOCKING (340) (emerging-rbn-BLOCK.rules) 2407680 - ET RBN Known Russian Business Network IP TCP - BLOCKING (341) (emerging-rbn-BLOCK.rules) 2407681 - ET RBN Known Russian Business Network IP UDP - BLOCKING (341) (emerging-rbn-BLOCK.rules) 2407682 - ET RBN Known Russian Business Network IP TCP - BLOCKING (342) (emerging-rbn-BLOCK.rules) 2407683 - ET RBN Known Russian Business Network IP UDP - BLOCKING (342) (emerging-rbn-BLOCK.rules) 2407684 - ET RBN Known Russian Business Network IP TCP - BLOCKING (343) (emerging-rbn-BLOCK.rules) 2407685 - ET RBN Known Russian Business Network IP UDP - BLOCKING (343) (emerging-rbn-BLOCK.rules) 2407686 - ET RBN Known Russian Business Network IP TCP - BLOCKING (344) (emerging-rbn-BLOCK.rules) 2407687 - ET RBN Known Russian Business Network IP UDP - BLOCKING (344) (emerging-rbn-BLOCK.rules) 2407688 - ET RBN Known Russian Business Network IP TCP - BLOCKING (345) (emerging-rbn-BLOCK.rules) 2407689 - ET RBN Known Russian Business Network IP UDP - BLOCKING (345) (emerging-rbn-BLOCK.rules) 2407690 - ET RBN Known Russian Business Network IP TCP - BLOCKING (346) (emerging-rbn-BLOCK.rules) 2407691 - ET RBN Known Russian Business Network IP UDP - BLOCKING (346) (emerging-rbn-BLOCK.rules) 2407692 - ET RBN Known Russian Business Network IP TCP - BLOCKING (347) (emerging-rbn-BLOCK.rules) 2407693 - ET RBN Known Russian Business Network IP UDP - BLOCKING (347) (emerging-rbn-BLOCK.rules) 2407694 - ET RBN Known Russian Business Network IP TCP - BLOCKING (348) (emerging-rbn-BLOCK.rules) 2407695 - ET RBN Known Russian Business Network IP UDP - BLOCKING (348) (emerging-rbn-BLOCK.rules) 2407696 - ET RBN Known Russian Business Network IP TCP - BLOCKING (349) (emerging-rbn-BLOCK.rules) 2407697 - ET RBN Known Russian Business Network IP UDP - BLOCKING (349) (emerging-rbn-BLOCK.rules) 2407698 - ET RBN Known Russian Business Network IP TCP - BLOCKING (350) (emerging-rbn-BLOCK.rules) 2407699 - ET RBN Known Russian Business Network IP UDP - BLOCKING (350) (emerging-rbn-BLOCK.rules) 2407700 - ET RBN Known Russian Business Network IP TCP - BLOCKING (351) (emerging-rbn-BLOCK.rules) 2407701 - ET RBN Known Russian Business Network IP UDP - BLOCKING (351) (emerging-rbn-BLOCK.rules) 2407702 - ET RBN Known Russian Business Network IP TCP - BLOCKING (352) (emerging-rbn-BLOCK.rules) 2407703 - ET RBN Known Russian Business Network IP UDP - BLOCKING (352) (emerging-rbn-BLOCK.rules) 2407704 - ET RBN Known Russian Business Network IP TCP - BLOCKING (353) (emerging-rbn-BLOCK.rules) 2407705 - ET RBN Known Russian Business Network IP UDP - BLOCKING (353) (emerging-rbn-BLOCK.rules) 2407706 - ET RBN Known Russian Business Network IP TCP - BLOCKING (354) (emerging-rbn-BLOCK.rules) 2407707 - ET RBN Known Russian Business Network IP UDP - BLOCKING (354) (emerging-rbn-BLOCK.rules) 2407708 - ET RBN Known Russian Business Network IP TCP - BLOCKING (355) (emerging-rbn-BLOCK.rules) 2407709 - ET RBN Known Russian Business Network IP UDP - BLOCKING (355) (emerging-rbn-BLOCK.rules) 2407710 - ET RBN Known Russian Business Network IP TCP - BLOCKING (356) (emerging-rbn-BLOCK.rules) 2407711 - ET RBN Known Russian Business Network IP UDP - BLOCKING (356) (emerging-rbn-BLOCK.rules) 2407712 - ET RBN Known Russian Business Network IP TCP - BLOCKING (357) (emerging-rbn-BLOCK.rules) 2407713 - ET RBN Known Russian Business Network IP UDP - BLOCKING (357) (emerging-rbn-BLOCK.rules) 2407714 - ET RBN Known Russian Business Network IP TCP - BLOCKING (358) (emerging-rbn-BLOCK.rules) 2407715 - ET RBN Known Russian Business Network IP UDP - BLOCKING (358) (emerging-rbn-BLOCK.rules) 2407716 - ET RBN Known Russian Business Network IP TCP - BLOCKING (359) (emerging-rbn-BLOCK.rules) 2407717 - ET RBN Known Russian Business Network IP UDP - BLOCKING (359) (emerging-rbn-BLOCK.rules) 2407718 - ET RBN Known Russian Business Network IP TCP - BLOCKING (360) (emerging-rbn-BLOCK.rules) 2407719 - ET RBN Known Russian Business Network IP UDP - BLOCKING (360) (emerging-rbn-BLOCK.rules) 2407720 - ET RBN Known Russian Business Network IP TCP - BLOCKING (361) (emerging-rbn-BLOCK.rules) 2407721 - ET RBN Known Russian Business Network IP UDP - BLOCKING (361) (emerging-rbn-BLOCK.rules) 2407722 - ET RBN Known Russian Business Network IP TCP - BLOCKING (362) (emerging-rbn-BLOCK.rules) 2407723 - ET RBN Known Russian Business Network IP UDP - BLOCKING (362) (emerging-rbn-BLOCK.rules) 2407724 - ET RBN Known Russian Business Network IP TCP - BLOCKING (363) (emerging-rbn-BLOCK.rules) 2407725 - ET RBN Known Russian Business Network IP UDP - BLOCKING (363) (emerging-rbn-BLOCK.rules) 2407726 - ET RBN Known Russian Business Network IP TCP - BLOCKING (364) (emerging-rbn-BLOCK.rules) 2407727 - ET RBN Known Russian Business Network IP UDP - BLOCKING (364) (emerging-rbn-BLOCK.rules) 2407728 - ET RBN Known Russian Business Network IP TCP - BLOCKING (365) (emerging-rbn-BLOCK.rules) 2407729 - ET RBN Known Russian Business Network IP UDP - BLOCKING (365) (emerging-rbn-BLOCK.rules) 2407730 - ET RBN Known Russian Business Network IP TCP - BLOCKING (366) (emerging-rbn-BLOCK.rules) 2407731 - ET RBN Known Russian Business Network IP UDP - BLOCKING (366) (emerging-rbn-BLOCK.rules) 2407732 - ET RBN Known Russian Business Network IP TCP - BLOCKING (367) (emerging-rbn-BLOCK.rules) 2407733 - ET RBN Known Russian Business Network IP UDP - BLOCKING (367) (emerging-rbn-BLOCK.rules) 2407734 - ET RBN Known Russian Business Network IP TCP - BLOCKING (368) (emerging-rbn-BLOCK.rules) 2407735 - ET RBN Known Russian Business Network IP UDP - BLOCKING (368) (emerging-rbn-BLOCK.rules) 2407736 - ET RBN Known Russian Business Network IP TCP - BLOCKING (369) (emerging-rbn-BLOCK.rules) 2407737 - ET RBN Known Russian Business Network IP UDP - BLOCKING (369) (emerging-rbn-BLOCK.rules) 2407738 - ET RBN Known Russian Business Network IP TCP - BLOCKING (370) (emerging-rbn-BLOCK.rules) 2407739 - ET RBN Known Russian Business Network IP UDP - BLOCKING (370) (emerging-rbn-BLOCK.rules) 2407740 - ET RBN Known Russian Business Network IP TCP - BLOCKING (371) (emerging-rbn-BLOCK.rules) 2407741 - ET RBN Known Russian Business Network IP UDP - BLOCKING (371) (emerging-rbn-BLOCK.rules) 2407742 - ET RBN Known Russian Business Network IP TCP - BLOCKING (372) (emerging-rbn-BLOCK.rules) 2407743 - ET RBN Known Russian Business Network IP UDP - BLOCKING (372) (emerging-rbn-BLOCK.rules) 2407744 - ET RBN Known Russian Business Network IP TCP - BLOCKING (373) (emerging-rbn-BLOCK.rules) 2407745 - ET RBN Known Russian Business Network IP UDP - BLOCKING (373) (emerging-rbn-BLOCK.rules) 2407746 - ET RBN Known Russian Business Network IP TCP - BLOCKING (374) (emerging-rbn-BLOCK.rules) 2407747 - ET RBN Known Russian Business Network IP UDP - BLOCKING (374) (emerging-rbn-BLOCK.rules) 2407748 - ET RBN Known Russian Business Network IP TCP - BLOCKING (375) (emerging-rbn-BLOCK.rules) 2407749 - ET RBN Known Russian Business Network IP UDP - BLOCKING (375) (emerging-rbn-BLOCK.rules) 2407750 - ET RBN Known Russian Business Network IP TCP - BLOCKING (376) (emerging-rbn-BLOCK.rules) 2407751 - ET RBN Known Russian Business Network IP UDP - BLOCKING (376) (emerging-rbn-BLOCK.rules) 2407752 - ET RBN Known Russian Business Network IP TCP - BLOCKING (377) (emerging-rbn-BLOCK.rules) 2407753 - ET RBN Known Russian Business Network IP UDP - BLOCKING (377) (emerging-rbn-BLOCK.rules) 2407754 - ET RBN Known Russian Business Network IP TCP - BLOCKING (378) (emerging-rbn-BLOCK.rules) 2407755 - ET RBN Known Russian Business Network IP UDP - BLOCKING (378) (emerging-rbn-BLOCK.rules) 2407756 - ET RBN Known Russian Business Network IP TCP - BLOCKING (379) (emerging-rbn-BLOCK.rules) 2407757 - ET RBN Known Russian Business Network IP UDP - BLOCKING (379) (emerging-rbn-BLOCK.rules) 2407758 - ET RBN Known Russian Business Network IP TCP - BLOCKING (380) (emerging-rbn-BLOCK.rules) 2407759 - ET RBN Known Russian Business Network IP UDP - BLOCKING (380) (emerging-rbn-BLOCK.rules) 2407760 - ET RBN Known Russian Business Network IP TCP - BLOCKING (381) (emerging-rbn-BLOCK.rules) 2407761 - ET RBN Known Russian Business Network IP UDP - BLOCKING (381) (emerging-rbn-BLOCK.rules) 2407762 - ET RBN Known Russian Business Network IP TCP - BLOCKING (382) (emerging-rbn-BLOCK.rules) 2407763 - ET RBN Known Russian Business Network IP UDP - BLOCKING (382) (emerging-rbn-BLOCK.rules) 2407764 - ET RBN Known Russian Business Network IP TCP - BLOCKING (383) (emerging-rbn-BLOCK.rules) 2407765 - ET RBN Known Russian Business Network IP UDP - BLOCKING (383) (emerging-rbn-BLOCK.rules) 2407766 - ET RBN Known Russian Business Network IP TCP - BLOCKING (384) (emerging-rbn-BLOCK.rules) 2407767 - ET RBN Known Russian Business Network IP UDP - BLOCKING (384) (emerging-rbn-BLOCK.rules) 2407768 - ET RBN Known Russian Business Network IP TCP - BLOCKING (385) (emerging-rbn-BLOCK.rules) 2407769 - ET RBN Known Russian Business Network IP UDP - BLOCKING (385) (emerging-rbn-BLOCK.rules) 2407770 - ET RBN Known Russian Business Network IP TCP - BLOCKING (386) (emerging-rbn-BLOCK.rules) 2407771 - ET RBN Known Russian Business Network IP UDP - BLOCKING (386) (emerging-rbn-BLOCK.rules) 2407772 - ET RBN Known Russian Business Network IP TCP - BLOCKING (387) (emerging-rbn-BLOCK.rules) 2407773 - ET RBN Known Russian Business Network IP UDP - BLOCKING (387) (emerging-rbn-BLOCK.rules) 2407774 - ET RBN Known Russian Business Network IP TCP - BLOCKING (388) (emerging-rbn-BLOCK.rules) 2407775 - ET RBN Known Russian Business Network IP UDP - BLOCKING (388) (emerging-rbn-BLOCK.rules) 2407776 - ET RBN Known Russian Business Network IP TCP - BLOCKING (389) (emerging-rbn-BLOCK.rules) 2407777 - ET RBN Known Russian Business Network IP UDP - BLOCKING (389) (emerging-rbn-BLOCK.rules) 2407778 - ET RBN Known Russian Business Network IP TCP - BLOCKING (390) (emerging-rbn-BLOCK.rules) 2407779 - ET RBN Known Russian Business Network IP UDP - BLOCKING (390) (emerging-rbn-BLOCK.rules) 2407780 - ET RBN Known Russian Business Network IP TCP - BLOCKING (391) (emerging-rbn-BLOCK.rules) 2407781 - ET RBN Known Russian Business Network IP UDP - BLOCKING (391) (emerging-rbn-BLOCK.rules) 2407782 - ET RBN Known Russian Business Network IP TCP - BLOCKING (392) (emerging-rbn-BLOCK.rules) 2407783 - ET RBN Known Russian Business Network IP UDP - BLOCKING (392) (emerging-rbn-BLOCK.rules) 2407784 - ET RBN Known Russian Business Network IP TCP - BLOCKING (393) (emerging-rbn-BLOCK.rules) 2407785 - ET RBN Known Russian Business Network IP UDP - BLOCKING (393) (emerging-rbn-BLOCK.rules) 2407786 - ET RBN Known Russian Business Network IP TCP - BLOCKING (394) (emerging-rbn-BLOCK.rules) 2407787 - ET RBN Known Russian Business Network IP UDP - BLOCKING (394) (emerging-rbn-BLOCK.rules) 2407788 - ET RBN Known Russian Business Network IP TCP - BLOCKING (395) (emerging-rbn-BLOCK.rules) 2407789 - ET RBN Known Russian Business Network IP UDP - BLOCKING (395) (emerging-rbn-BLOCK.rules) 2407790 - ET RBN Known Russian Business Network IP TCP - BLOCKING (396) (emerging-rbn-BLOCK.rules) 2407791 - ET RBN Known Russian Business Network IP UDP - BLOCKING (396) (emerging-rbn-BLOCK.rules) 2407792 - ET RBN Known Russian Business Network IP TCP - BLOCKING (397) (emerging-rbn-BLOCK.rules) 2407793 - ET RBN Known Russian Business Network IP UDP - BLOCKING (397) (emerging-rbn-BLOCK.rules) 2407794 - ET RBN Known Russian Business Network IP TCP - BLOCKING (398) (emerging-rbn-BLOCK.rules) 2407795 - ET RBN Known Russian Business Network IP UDP - BLOCKING (398) (emerging-rbn-BLOCK.rules) 2407796 - ET RBN Known Russian Business Network IP TCP - BLOCKING (399) (emerging-rbn-BLOCK.rules) 2407797 - ET RBN Known Russian Business Network IP UDP - BLOCKING (399) (emerging-rbn-BLOCK.rules) 2407798 - ET RBN Known Russian Business Network IP TCP - BLOCKING (400) (emerging-rbn-BLOCK.rules) 2407799 - ET RBN Known Russian Business Network IP UDP - BLOCKING (400) (emerging-rbn-BLOCK.rules) 2407800 - ET RBN Known Russian Business Network IP TCP - BLOCKING (401) (emerging-rbn-BLOCK.rules) 2407801 - ET RBN Known Russian Business Network IP UDP - BLOCKING (401) (emerging-rbn-BLOCK.rules) 2407802 - ET RBN Known Russian Business Network IP TCP - BLOCKING (402) (emerging-rbn-BLOCK.rules) 2407803 - ET RBN Known Russian Business Network IP UDP - BLOCKING (402) (emerging-rbn-BLOCK.rules) 2407804 - ET RBN Known Russian Business Network IP TCP - BLOCKING (403) (emerging-rbn-BLOCK.rules) 2407805 - ET RBN Known Russian Business Network IP UDP - BLOCKING (403) (emerging-rbn-BLOCK.rules) 2407806 - ET RBN Known Russian Business Network IP TCP - BLOCKING (404) (emerging-rbn-BLOCK.rules) 2407807 - ET RBN Known Russian Business Network IP UDP - BLOCKING (404) (emerging-rbn-BLOCK.rules) 2407808 - ET RBN Known Russian Business Network IP TCP - BLOCKING (405) (emerging-rbn-BLOCK.rules) 2407809 - ET RBN Known Russian Business Network IP UDP - BLOCKING (405) (emerging-rbn-BLOCK.rules) 2407810 - ET RBN Known Russian Business Network IP TCP - BLOCKING (406) (emerging-rbn-BLOCK.rules) 2407811 - ET RBN Known Russian Business Network IP UDP - BLOCKING (406) (emerging-rbn-BLOCK.rules) 2407812 - ET RBN Known Russian Business Network IP TCP - BLOCKING (407) (emerging-rbn-BLOCK.rules) 2407813 - ET RBN Known Russian Business Network IP UDP - BLOCKING (407) (emerging-rbn-BLOCK.rules) 2407814 - ET RBN Known Russian Business Network IP TCP - BLOCKING (408) (emerging-rbn-BLOCK.rules) 2407815 - ET RBN Known Russian Business Network IP UDP - BLOCKING (408) (emerging-rbn-BLOCK.rules) 2407816 - ET RBN Known Russian Business Network IP TCP - BLOCKING (409) (emerging-rbn-BLOCK.rules) 2407817 - ET RBN Known Russian Business Network IP UDP - BLOCKING (409) (emerging-rbn-BLOCK.rules) 2407818 - ET RBN Known Russian Business Network IP TCP - BLOCKING (410) (emerging-rbn-BLOCK.rules) 2407819 - ET RBN Known Russian Business Network IP UDP - BLOCKING (410) (emerging-rbn-BLOCK.rules) 2407820 - ET RBN Known Russian Business Network IP TCP - BLOCKING (411) (emerging-rbn-BLOCK.rules) 2407821 - ET RBN Known Russian Business Network IP UDP - BLOCKING (411) (emerging-rbn-BLOCK.rules) 2407822 - ET RBN Known Russian Business Network IP TCP - BLOCKING (412) (emerging-rbn-BLOCK.rules) 2407823 - ET RBN Known Russian Business Network IP UDP - BLOCKING (412) (emerging-rbn-BLOCK.rules) 2407824 - ET RBN Known Russian Business Network IP TCP - BLOCKING (413) (emerging-rbn-BLOCK.rules) 2407825 - ET RBN Known Russian Business Network IP UDP - BLOCKING (413) (emerging-rbn-BLOCK.rules) 2407826 - ET RBN Known Russian Business Network IP TCP - BLOCKING (414) (emerging-rbn-BLOCK.rules) 2407827 - ET RBN Known Russian Business Network IP UDP - BLOCKING (414) (emerging-rbn-BLOCK.rules) 2407828 - ET RBN Known Russian Business Network IP TCP - BLOCKING (415) (emerging-rbn-BLOCK.rules) 2407829 - ET RBN Known Russian Business Network IP UDP - BLOCKING (415) (emerging-rbn-BLOCK.rules) 2407830 - ET RBN Known Russian Business Network IP TCP - BLOCKING (416) (emerging-rbn-BLOCK.rules) 2407831 - ET RBN Known Russian Business Network IP UDP - BLOCKING (416) (emerging-rbn-BLOCK.rules) 2407832 - ET RBN Known Russian Business Network IP TCP - BLOCKING (417) (emerging-rbn-BLOCK.rules) 2407833 - ET RBN Known Russian Business Network IP UDP - BLOCKING (417) (emerging-rbn-BLOCK.rules) 2407834 - ET RBN Known Russian Business Network IP TCP - BLOCKING (418) (emerging-rbn-BLOCK.rules) 2407835 - ET RBN Known Russian Business Network IP UDP - BLOCKING (418) (emerging-rbn-BLOCK.rules) 2407836 - ET RBN Known Russian Business Network IP TCP - BLOCKING (419) (emerging-rbn-BLOCK.rules) 2407837 - ET RBN Known Russian Business Network IP UDP - BLOCKING (419) (emerging-rbn-BLOCK.rules) 2407838 - ET RBN Known Russian Business Network IP TCP - BLOCKING (420) (emerging-rbn-BLOCK.rules) 2407839 - ET RBN Known Russian Business Network IP UDP - BLOCKING (420) (emerging-rbn-BLOCK.rules) 2407840 - ET RBN Known Russian Business Network IP TCP - BLOCKING (421) (emerging-rbn-BLOCK.rules) 2407841 - ET RBN Known Russian Business Network IP UDP - BLOCKING (421) (emerging-rbn-BLOCK.rules) 2407842 - ET RBN Known Russian Business Network IP TCP - BLOCKING (422) (emerging-rbn-BLOCK.rules) 2407843 - ET RBN Known Russian Business Network IP UDP - BLOCKING (422) (emerging-rbn-BLOCK.rules) 2407844 - ET RBN Known Russian Business Network IP TCP - BLOCKING (423) (emerging-rbn-BLOCK.rules) 2407845 - ET RBN Known Russian Business Network IP UDP - BLOCKING (423) (emerging-rbn-BLOCK.rules) 2407846 - ET RBN Known Russian Business Network IP TCP - BLOCKING (424) (emerging-rbn-BLOCK.rules) 2407847 - ET RBN Known Russian Business Network IP UDP - BLOCKING (424) (emerging-rbn-BLOCK.rules) 2407848 - ET RBN Known Russian Business Network IP TCP - BLOCKING (425) (emerging-rbn-BLOCK.rules) 2407849 - ET RBN Known Russian Business Network IP UDP - BLOCKING (425) (emerging-rbn-BLOCK.rules) 2407850 - ET RBN Known Russian Business Network IP TCP - BLOCKING (426) (emerging-rbn-BLOCK.rules) 2407851 - ET RBN Known Russian Business Network IP UDP - BLOCKING (426) (emerging-rbn-BLOCK.rules) 2407852 - ET RBN Known Russian Business Network IP TCP - BLOCKING (427) (emerging-rbn-BLOCK.rules) 2407853 - ET RBN Known Russian Business Network IP UDP - BLOCKING (427) (emerging-rbn-BLOCK.rules) 2407854 - ET RBN Known Russian Business Network IP TCP - BLOCKING (428) (emerging-rbn-BLOCK.rules) 2407855 - ET RBN Known Russian Business Network IP UDP - BLOCKING (428) (emerging-rbn-BLOCK.rules) 2407856 - ET RBN Known Russian Business Network IP TCP - BLOCKING (429) (emerging-rbn-BLOCK.rules) 2407857 - ET RBN Known Russian Business Network IP UDP - BLOCKING (429) (emerging-rbn-BLOCK.rules) 2407858 - ET RBN Known Russian Business Network IP TCP - BLOCKING (430) (emerging-rbn-BLOCK.rules) 2407859 - ET RBN Known Russian Business Network IP UDP - BLOCKING (430) (emerging-rbn-BLOCK.rules) 2407860 - ET RBN Known Russian Business Network IP TCP - BLOCKING (431) (emerging-rbn-BLOCK.rules) 2407861 - ET RBN Known Russian Business Network IP UDP - BLOCKING (431) (emerging-rbn-BLOCK.rules) 2407862 - ET RBN Known Russian Business Network IP TCP - BLOCKING (432) (emerging-rbn-BLOCK.rules) 2407863 - ET RBN Known Russian Business Network IP UDP - BLOCKING (432) (emerging-rbn-BLOCK.rules) 2407864 - ET RBN Known Russian Business Network IP TCP - BLOCKING (433) (emerging-rbn-BLOCK.rules) 2407865 - ET RBN Known Russian Business Network IP UDP - BLOCKING (433) (emerging-rbn-BLOCK.rules) 2407866 - ET RBN Known Russian Business Network IP TCP - BLOCKING (434) (emerging-rbn-BLOCK.rules) 2407867 - ET RBN Known Russian Business Network IP UDP - BLOCKING (434) (emerging-rbn-BLOCK.rules) 2407868 - ET RBN Known Russian Business Network IP TCP - BLOCKING (435) (emerging-rbn-BLOCK.rules) 2407869 - ET RBN Known Russian Business Network IP UDP - BLOCKING (435) (emerging-rbn-BLOCK.rules) 2407870 - ET RBN Known Russian Business Network IP TCP - BLOCKING (436) (emerging-rbn-BLOCK.rules) 2407871 - ET RBN Known Russian Business Network IP UDP - BLOCKING (436) (emerging-rbn-BLOCK.rules) 2407872 - ET RBN Known Russian Business Network IP TCP - BLOCKING (437) (emerging-rbn-BLOCK.rules) 2407873 - ET RBN Known Russian Business Network IP UDP - BLOCKING (437) (emerging-rbn-BLOCK.rules) 2407874 - ET RBN Known Russian Business Network IP TCP - BLOCKING (438) (emerging-rbn-BLOCK.rules) 2407875 - ET RBN Known Russian Business Network IP UDP - BLOCKING (438) (emerging-rbn-BLOCK.rules) 2407876 - ET RBN Known Russian Business Network IP TCP - BLOCKING (439) (emerging-rbn-BLOCK.rules) 2407877 - ET RBN Known Russian Business Network IP UDP - BLOCKING (439) (emerging-rbn-BLOCK.rules) 2407878 - ET RBN Known Russian Business Network IP TCP - BLOCKING (440) (emerging-rbn-BLOCK.rules) 2407879 - ET RBN Known Russian Business Network IP UDP - BLOCKING (440) (emerging-rbn-BLOCK.rules) 2407880 - ET RBN Known Russian Business Network IP TCP - BLOCKING (441) (emerging-rbn-BLOCK.rules) 2407881 - ET RBN Known Russian Business Network IP UDP - BLOCKING (441) (emerging-rbn-BLOCK.rules) 2407882 - ET RBN Known Russian Business Network IP TCP - BLOCKING (442) (emerging-rbn-BLOCK.rules) 2407883 - ET RBN Known Russian Business Network IP UDP - BLOCKING (442) (emerging-rbn-BLOCK.rules) 2407884 - ET RBN Known Russian Business Network IP TCP - BLOCKING (443) (emerging-rbn-BLOCK.rules) 2407885 - ET RBN Known Russian Business Network IP UDP - BLOCKING (443) (emerging-rbn-BLOCK.rules) 2407886 - ET RBN Known Russian Business Network IP TCP - BLOCKING (444) (emerging-rbn-BLOCK.rules) 2407887 - ET RBN Known Russian Business Network IP UDP - BLOCKING (444) (emerging-rbn-BLOCK.rules) 2407888 - ET RBN Known Russian Business Network IP TCP - BLOCKING (445) (emerging-rbn-BLOCK.rules) 2407889 - ET RBN Known Russian Business Network IP UDP - BLOCKING (445) (emerging-rbn-BLOCK.rules) 2407890 - ET RBN Known Russian Business Network IP TCP - BLOCKING (446) (emerging-rbn-BLOCK.rules) 2407891 - ET RBN Known Russian Business Network IP UDP - BLOCKING (446) (emerging-rbn-BLOCK.rules) 2407892 - ET RBN Known Russian Business Network IP TCP - BLOCKING (447) (emerging-rbn-BLOCK.rules) 2407893 - ET RBN Known Russian Business Network IP UDP - BLOCKING (447) (emerging-rbn-BLOCK.rules) 2407894 - ET RBN Known Russian Business Network IP TCP - BLOCKING (448) (emerging-rbn-BLOCK.rules) 2407895 - ET RBN Known Russian Business Network IP UDP - BLOCKING (448) (emerging-rbn-BLOCK.rules) 2407896 - ET RBN Known Russian Business Network IP TCP - BLOCKING (449) (emerging-rbn-BLOCK.rules) 2407897 - ET RBN Known Russian Business Network IP UDP - BLOCKING (449) (emerging-rbn-BLOCK.rules) 2407898 - ET RBN Known Russian Business Network IP TCP - BLOCKING (450) (emerging-rbn-BLOCK.rules) 2407899 - ET RBN Known Russian Business Network IP UDP - BLOCKING (450) (emerging-rbn-BLOCK.rules) 2407900 - ET RBN Known Russian Business Network IP TCP - BLOCKING (451) (emerging-rbn-BLOCK.rules) 2407901 - ET RBN Known Russian Business Network IP UDP - BLOCKING (451) (emerging-rbn-BLOCK.rules) 2407902 - ET RBN Known Russian Business Network IP TCP - BLOCKING (452) (emerging-rbn-BLOCK.rules) 2407903 - ET RBN Known Russian Business Network IP UDP - BLOCKING (452) (emerging-rbn-BLOCK.rules) 2407904 - ET RBN Known Russian Business Network IP TCP - BLOCKING (453) (emerging-rbn-BLOCK.rules) 2407905 - ET RBN Known Russian Business Network IP UDP - BLOCKING (453) (emerging-rbn-BLOCK.rules) 2407906 - ET RBN Known Russian Business Network IP TCP - BLOCKING (454) (emerging-rbn-BLOCK.rules) 2407907 - ET RBN Known Russian Business Network IP UDP - BLOCKING (454) (emerging-rbn-BLOCK.rules) 2407908 - ET RBN Known Russian Business Network IP TCP - BLOCKING (455) (emerging-rbn-BLOCK.rules) 2407909 - ET RBN Known Russian Business Network IP UDP - BLOCKING (455) (emerging-rbn-BLOCK.rules) 2407910 - ET RBN Known Russian Business Network IP TCP - BLOCKING (456) (emerging-rbn-BLOCK.rules) 2407911 - ET RBN Known Russian Business Network IP UDP - BLOCKING (456) (emerging-rbn-BLOCK.rules) 2407912 - ET RBN Known Russian Business Network IP TCP - BLOCKING (457) (emerging-rbn-BLOCK.rules) 2407913 - ET RBN Known Russian Business Network IP UDP - BLOCKING (457) (emerging-rbn-BLOCK.rules) 2407914 - ET RBN Known Russian Business Network IP TCP - BLOCKING (458) (emerging-rbn-BLOCK.rules) 2407915 - ET RBN Known Russian Business Network IP UDP - BLOCKING (458) (emerging-rbn-BLOCK.rules) 2407916 - ET RBN Known Russian Business Network IP TCP - BLOCKING (459) (emerging-rbn-BLOCK.rules) 2407917 - ET RBN Known Russian Business Network IP UDP - BLOCKING (459) (emerging-rbn-BLOCK.rules) 2407918 - ET RBN Known Russian Business Network IP TCP - BLOCKING (460) (emerging-rbn-BLOCK.rules) 2407919 - ET RBN Known Russian Business Network IP UDP - BLOCKING (460) (emerging-rbn-BLOCK.rules) 2407920 - ET RBN Known Russian Business Network IP TCP - BLOCKING (461) (emerging-rbn-BLOCK.rules) 2407921 - ET RBN Known Russian Business Network IP UDP - BLOCKING (461) (emerging-rbn-BLOCK.rules) 2407922 - ET RBN Known Russian Business Network IP TCP - BLOCKING (462) (emerging-rbn-BLOCK.rules) 2407923 - ET RBN Known Russian Business Network IP UDP - BLOCKING (462) (emerging-rbn-BLOCK.rules) 2407924 - ET RBN Known Russian Business Network IP TCP - BLOCKING (463) (emerging-rbn-BLOCK.rules) 2407925 - ET RBN Known Russian Business Network IP UDP - BLOCKING (463) (emerging-rbn-BLOCK.rules) 2407926 - ET RBN Known Russian Business Network IP TCP - BLOCKING (464) (emerging-rbn-BLOCK.rules) 2407927 - ET RBN Known Russian Business Network IP UDP - BLOCKING (464) (emerging-rbn-BLOCK.rules) 2407928 - ET RBN Known Russian Business Network IP TCP - BLOCKING (465) (emerging-rbn-BLOCK.rules) 2407929 - ET RBN Known Russian Business Network IP UDP - BLOCKING (465) (emerging-rbn-BLOCK.rules) 2407930 - ET RBN Known Russian Business Network IP TCP - BLOCKING (466) (emerging-rbn-BLOCK.rules) 2407931 - ET RBN Known Russian Business Network IP UDP - BLOCKING (466) (emerging-rbn-BLOCK.rules) 2407932 - ET RBN Known Russian Business Network IP TCP - BLOCKING (467) (emerging-rbn-BLOCK.rules) 2407933 - ET RBN Known Russian Business Network IP UDP - BLOCKING (467) (emerging-rbn-BLOCK.rules) 2407934 - ET RBN Known Russian Business Network IP TCP - BLOCKING (468) (emerging-rbn-BLOCK.rules) 2407935 - ET RBN Known Russian Business Network IP UDP - BLOCKING (468) (emerging-rbn-BLOCK.rules) 2407936 - ET RBN Known Russian Business Network IP TCP - BLOCKING (469) (emerging-rbn-BLOCK.rules) 2407937 - ET RBN Known Russian Business Network IP UDP - BLOCKING (469) (emerging-rbn-BLOCK.rules) 2407938 - ET RBN Known Russian Business Network IP TCP - BLOCKING (470) (emerging-rbn-BLOCK.rules) 2407939 - ET RBN Known Russian Business Network IP UDP - BLOCKING (470) (emerging-rbn-BLOCK.rules) 2407940 - ET RBN Known Russian Business Network IP TCP - BLOCKING (471) (emerging-rbn-BLOCK.rules) 2407941 - ET RBN Known Russian Business Network IP UDP - BLOCKING (471) (emerging-rbn-BLOCK.rules) 2407942 - ET RBN Known Russian Business Network IP TCP - BLOCKING (472) (emerging-rbn-BLOCK.rules) 2407943 - ET RBN Known Russian Business Network IP UDP - BLOCKING (472) (emerging-rbn-BLOCK.rules) 2407944 - ET RBN Known Russian Business Network IP TCP - BLOCKING (473) (emerging-rbn-BLOCK.rules) 2407945 - ET RBN Known Russian Business Network IP UDP - BLOCKING (473) (emerging-rbn-BLOCK.rules) 2407946 - ET RBN Known Russian Business Network IP TCP - BLOCKING (474) (emerging-rbn-BLOCK.rules) 2407947 - ET RBN Known Russian Business Network IP UDP - BLOCKING (474) (emerging-rbn-BLOCK.rules) 2407948 - ET RBN Known Russian Business Network IP TCP - BLOCKING (475) (emerging-rbn-BLOCK.rules) 2407949 - ET RBN Known Russian Business Network IP UDP - BLOCKING (475) (emerging-rbn-BLOCK.rules) 2407950 - ET RBN Known Russian Business Network IP TCP - BLOCKING (476) (emerging-rbn-BLOCK.rules) 2407951 - ET RBN Known Russian Business Network IP UDP - BLOCKING (476) (emerging-rbn-BLOCK.rules) 2407952 - ET RBN Known Russian Business Network IP TCP - BLOCKING (477) (emerging-rbn-BLOCK.rules) 2407953 - ET RBN Known Russian Business Network IP UDP - BLOCKING (477) (emerging-rbn-BLOCK.rules) 2407954 - ET RBN Known Russian Business Network IP TCP - BLOCKING (478) (emerging-rbn-BLOCK.rules) 2407955 - ET RBN Known Russian Business Network IP UDP - BLOCKING (478) (emerging-rbn-BLOCK.rules) 2407956 - ET RBN Known Russian Business Network IP TCP - BLOCKING (479) (emerging-rbn-BLOCK.rules) 2407957 - ET RBN Known Russian Business Network IP UDP - BLOCKING (479) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # $Id: emerging-attack_response.rules $ -> Added to emerging-current_events.rules (2): # $Id: emerging-current_events.rules $ #by evilghost 11/2/09 -> Added to emerging-dos.rules (1): # $Id: emerging-dos.rules $ -> Added to emerging-exploit.rules (1): # $Id: emerging-exploit.rules $ -> Added to emerging-game.rules (1): # $Id: emerging-game.rules $ -> Added to emerging-inappropriate.rules (1): # $Id: emerging-inappropriate.rules $ -> Added to emerging-malware.rules (1): # $Id: emerging-malware.rules $ -> Added to emerging-p2p.rules (1): # $Id: emerging-p2p.rules $ -> Added to emerging-policy.rules (1): # $Id: emerging-policy.rules $ -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 152 # Updated 2009-11-02 15:18:31 -> Added to emerging-rbn.rules (2): # VERSION 152 # Updated 2009-11-02 15:18:31 -> Added to emerging-scan.rules (1): # $Id: emerging-scan.rules $ -> Added to emerging-sid-msg.map (30): 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement 2406958 || ET RBN Known Russian Business Network IP TCP (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406959 || ET RBN Known Russian Business Network IP UDP (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406960 || ET RBN Known Russian Business Network IP TCP (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406961 || ET RBN Known Russian Business Network IP UDP (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406962 || ET RBN Known Russian Business Network IP TCP (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406963 || ET RBN Known Russian Business Network IP UDP (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406964 || ET RBN Known Russian Business Network IP TCP (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406965 || ET RBN Known Russian Business Network IP UDP (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406966 || ET RBN Known Russian Business Network IP TCP (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406967 || ET RBN Known Russian Business Network IP UDP (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406968 || ET RBN Known Russian Business Network IP TCP (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406969 || ET RBN Known Russian Business Network IP UDP (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407958 || ET RBN Known Russian Business Network IP TCP - BLOCKING (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407959 || ET RBN Known Russian Business Network IP UDP - BLOCKING (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407960 || ET RBN Known Russian Business Network IP TCP - BLOCKING (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407961 || ET RBN Known Russian Business Network IP UDP - BLOCKING (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407962 || ET RBN Known Russian Business Network IP TCP - BLOCKING (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407963 || ET RBN Known Russian Business Network IP UDP - BLOCKING (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407964 || ET RBN Known Russian Business Network IP TCP - BLOCKING (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407965 || ET RBN Known Russian Business Network IP UDP - BLOCKING (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407966 || ET RBN Known Russian Business Network IP TCP - BLOCKING (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407967 || ET RBN Known Russian Business Network IP UDP - BLOCKING (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407968 || ET RBN Known Russian Business Network IP TCP - BLOCKING (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407969 || ET RBN Known Russian Business Network IP UDP - BLOCKING (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (30): 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement 2406958 || ET RBN Known Russian Business Network IP TCP (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406959 || ET RBN Known Russian Business Network IP UDP (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406960 || ET RBN Known Russian Business Network IP TCP (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406961 || ET RBN Known Russian Business Network IP UDP (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406962 || ET RBN Known Russian Business Network IP TCP (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406963 || ET RBN Known Russian Business Network IP UDP (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406964 || ET RBN Known Russian Business Network IP TCP (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406965 || ET RBN Known Russian Business Network IP UDP (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406966 || ET RBN Known Russian Business Network IP TCP (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406967 || ET RBN Known Russian Business Network IP UDP (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406968 || ET RBN Known Russian Business Network IP TCP (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406969 || ET RBN Known Russian Business Network IP UDP (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407958 || ET RBN Known Russian Business Network IP TCP - BLOCKING (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407959 || ET RBN Known Russian Business Network IP UDP - BLOCKING (480) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407960 || ET RBN Known Russian Business Network IP TCP - BLOCKING (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407961 || ET RBN Known Russian Business Network IP UDP - BLOCKING (481) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407962 || ET RBN Known Russian Business Network IP TCP - BLOCKING (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407963 || ET RBN Known Russian Business Network IP UDP - BLOCKING (482) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407964 || ET RBN Known Russian Business Network IP TCP - BLOCKING (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407965 || ET RBN Known Russian Business Network IP UDP - BLOCKING (483) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407966 || ET RBN Known Russian Business Network IP TCP - BLOCKING (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407967 || ET RBN Known Russian Business Network IP UDP - BLOCKING (484) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407968 || ET RBN Known Russian Business Network IP TCP - BLOCKING (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407969 || ET RBN Known Russian Business Network IP UDP - BLOCKING (485) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-user_agents.rules (1): # $Id: emerging-user_agents.rules $ -> Added to emerging-virus.rules (3): # $Id: emerging-virus.rules $ #by kevin ross #anonymous writer, sent in by Russell Fulton -> Added to emerging-voip.rules (1): # $Id: emerging-voip.rules $ -> Added to emerging-web.rules (1): # $Id: emerging-web.rules $ -> Added to emerging-web_client.rules (1): # $Id: emerging-web_client.rules $ -> Added to emerging-web_server.rules (1): # $Id: emerging-web-server.rules $ -> Added to emerging-web_specific_apps.rules (1): # $Id: emerging-web_specific_apps.rules $ -> Added to emerging-web_sql_injection.rules (1): # $Id: emerging-web_sql_injection.rules $ -> Added to emerging.rules (1): # $Id: emerging.rules $ [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 151 # Updated 2009-10-27 12:56:10 -> Removed from emerging-rbn.rules (2): # VERSION 151 # Updated 2009-10-27 12:56:10 -> Removed from emerging-sid-msg.map (2): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org From evilghost at packetmail.net Mon Nov 2 16:15:37 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 2 Nov 2009 15:15:37 -0600 Subject: [Emerging-Sigs] Proposed Signature, ET Policy Windows 7 Message-ID: <4AEF4BF9.3070608@packetmail.net> While not really a direct security concern there are some organizations which strictly control version upgrades/permitted OSes on the network. I propose the below ET POLICY signature for Windows 7. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Microsoft Windows 7 User-Agent detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.mspx; classtype:policy-violation; sid:2009xxxx; rev:1;) -evilghost From greg at netpublishing.com Mon Nov 2 17:13:12 2009 From: greg at netpublishing.com (Gregory W. MacPherson) Date: Mon, 2 Nov 2009 14:13:12 -0800 Subject: [Emerging-Sigs] Proposed Signature, ET Policy Windows 7 In-Reply-To: <4AEF4BF9.3070608@packetmail.net> References: <4AEF4BF9.3070608@packetmail.net> Message-ID: <20091102221312.GA49046@b2.datasieve.net> Actually, that mspx URL doesn't appear to be active - server% telnet www.microsoft.com 80 Trying 65.55.21.250... Connected to lb1.www.ms.akadns.net. Escape character is '^]'. GET /windows/windows-7/default.mspx HTTP/1.0 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: .ASPXANONYMOUS=74cPUZuSygEkAAAAMTgwM2IwZDAtOTBhNi00YWExLWExNzQtMTRhODE0YjM0YTA2cA5trsgZsIuhkGDmpw1jFkxsdw41; expires=Mon, 11-Jan-2010 08:51:51 GMT; path=/; HttpOnly X-AspNet-Version: 2.0.50727 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Mon, 02 Nov 2009 22:11:51 GMT Connection: keep-alive Content-Length: 124 Connection closed by foreign host. You might want to double check that URL. -- Greg On or about 2009.11.02 15:15:37 +0000, evilghost at packetmail.net (evilghost at packetmail.net) said: > While not really a direct security concern there are some organizations > which strictly control version upgrades/permitted OSes on the network. > I propose the below ET POLICY signature for Windows 7. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Microsoft Windows 7 User-Agent detected"; flow:established,to_server; > content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; > content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; > threshold:type limit, track by_src, seconds 60, count 1; > reference:url,www.microsoft.com/windows/windows-7/default.mspx; > classtype:policy-violation; sid:2009xxxx; rev:1;) > > -evilghost > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- Gregory W. MacPherson Global Network Exploitation Specialist, CISSP http://www.datasieve.net/greg/ "We are a nation that has a government - not the other way around. And this makes us special among the nations of the Earth. Our government has no power except that granted to it by the people. It is time to check and reverse the growth of government, which shows signs of having grown beyond the consent of the governed. - Ronald Reagan, 1981 From kevross33 at googlemail.com Mon Nov 2 17:35:24 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 2 Nov 2009 22:35:24 +0000 Subject: [Emerging-Sigs] SIG:Cherokee Web Server GET AUX DOS In-Reply-To: <4AEF3B8C.1090105@jonkmans.com> References: <4AEF3B8C.1090105@jonkmans.com> Message-ID: No idea, I think it isn't but a nocase doesn't hurt I suppose. I think I have matched the vulnerability ok. the one thing that got me was the variable (as my perl isn't too extensive) it was a line like GET /".$BADTHING." HTTP/1.1. Now the bad thing was the get request for the AUX. However, I am unsure whether the . on either side is perl or related to the vulnerability. like should it become GET |2F 2E|AUX|2E| HTTP|2F|1|2E| ? I know the quotations are for the variable (which is what also adds credence to not being case sensitive as it is variable where it is the AUX get request which is what causes the crash, only reason I can think of it being variable is case). 2009/11/2 Matt Jonkman > Is the vulnerability case sensitive? > > Matt > > Kevin Ross wrote: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > > WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of > > Service Attempt"; flow:established,to_server; content:"GET |2F|AUX > > HTTP|2F|1|2E|"; nocase; depth:16; classtype:attempted-dos; > > reference:url,securitytracker.com/alerts/2009/Oct/1023095.html > > ; > > reference:url,www.securityfocus.com/bid/36814/info > > ; > > reference:url,www.securityfocus.com/archive/1/507456 > > ; sid:1100001; rev:1;) > > > > Simple sig for this. Comments anyone? > > > > Kev > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/d6044688/attachment.html From evilghost at packetmail.net Mon Nov 2 17:53:44 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 2 Nov 2009 16:53:44 -0600 Subject: [Emerging-Sigs] Proposed Signature, ET Policy Windows 7 In-Reply-To: <20091102221312.GA49046@b2.datasieve.net> References: <4AEF4BF9.3070608@packetmail.net> <20091102221312.GA49046@b2.datasieve.net> Message-ID: <4AEF62F8.2020302@packetmail.net> Odd, that's what it was originally. It's now http://www.microsoft.com/windows/windows-7/default.aspx (really, was .mspx, not a typo.) Thanks. Gregory W. MacPherson wrote: > Actually, that mspx URL doesn't appear to be active - > > server% telnet www.microsoft.com 80 > Trying 65.55.21.250... > Connected to lb1.www.ms.akadns.net. > Escape character is '^]'. > GET /windows/windows-7/default.mspx HTTP/1.0 > > HTTP/1.1 200 OK > Cache-Control: private > Content-Type: text/html; charset=utf-8 > Server: Microsoft-IIS/7.5 > Set-Cookie: > .ASPXANONYMOUS=74cPUZuSygEkAAAAMTgwM2IwZDAtOTBhNi00YWExLWExNzQtMTRhODE0YjM0YTA2cA5trsgZsIuhkGDmpw1jFkxsdw41; > expires=Mon, 11-Jan-2010 08:51:51 GMT; path=/; HttpOnly > X-AspNet-Version: 2.0.50727 > P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo > OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" > X-Powered-By: ASP.NET > Date: Mon, 02 Nov 2009 22:11:51 GMT > Connection: keep-alive > Content-Length: 124 > > content="0;url=http://www.microsoft.com/err/windows/windows-7/default">Connection > closed by foreign host. > > You might want to double check that URL. > > -- Greg > > On or about 2009.11.02 15:15:37 +0000, evilghost at packetmail.net (evilghost at packetmail.net) said: > > >> While not really a direct security concern there are some organizations >> which strictly control version upgrades/permitted OSes on the network. >> I propose the below ET POLICY signature for Windows 7. >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY >> Microsoft Windows 7 User-Agent detected"; flow:established,to_server; >> content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; >> content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; >> threshold:type limit, track by_src, seconds 60, count 1; >> reference:url,www.microsoft.com/windows/windows-7/default.mspx; >> classtype:policy-violation; sid:2009xxxx; rev:1;) >> >> -evilghost >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From jim.mcquaid at gmail.com Mon Nov 2 18:23:22 2009 From: jim.mcquaid at gmail.com (James McQuaid) Date: Mon, 2 Nov 2009 18:23:22 -0500 Subject: [Emerging-Sigs] Opachki Message-ID: This is Alex Tramp; he's the well known criminal behind the notorious loads.cc, bestglobex.com (bank fraud), various rogue sites, google-redirect.com, etc. If any of you run into him, please give him the business end. Thank you, James > Message: 1 > Date: Mon, 02 Nov 2009 15:19:18 -0500 > From: Matt Jonkman > Subject: Re: [Emerging-Sigs] Opachki sig > To: Darren Spruell > Cc: Emerging Threats Signatures > Message-ID: <4AEF3EC6.2000005 at jonkmans.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Posted, thanks Darren! > > Matt > > Darren Spruell wrote: >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Opachki Link Hijacker Traffic Redirection"; >> flow:established,to_server; uricontent:"/?do=rphp"; nocase; >> uricontent:"&sub="; nocase; uricontent:"&b="; nocase; >> uricontent:"&q="; nocase; uricontent:"&orig="; nocase; >> classtype:trojan-activity; >> reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; >> reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; >> reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; >> sid:XXXXXXX; rev:1;) >> >> Outstanding analysis/writeup from SecureWorks. James McQuaid From frank at knobbe.us Mon Nov 2 19:34:21 2009 From: frank at knobbe.us (Frank Knobbe) Date: Mon, 02 Nov 2009 18:34:21 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4AEEEA38.3040109@packetmail.net> References: <4AEEEA38.3040109@packetmail.net> Message-ID: <1257208461.83224.6.camel@localhost> On Mon, 2009-11-02 at 08:18 -0600, evilghost at packetmail.net wrote: > I really like getting this list. Based on the list below, it looks like > we can likely sig with some confidence the pepsi redirect, possibly the > installer.exe stuff too. Case-sensitive matching intentionally to avoid > false positives. Well, what you will be matching are possible download requests of the malware. To be honest, I'm getting a bit concerned that we're adding a lot of sigs of Possible This, Possible That. Instead of matching download attempts we should be matching traffic that the malware actually generates when SUCCESSFULLY installed. I think the value of the signature set is decreasing by all these Possible sigs. In my repo, I'll be soon starting my own category/rulesfile for Possible stuff that I can activate on research sensors but not production sensors where I can't afford to spend a lot of time chasing FPs. (I just had too many cases where we got alerts but malware didn't get installed, so the whole run-around was useless. I mean, it's good to check that nothing got installed, but geesh, with my user population, I just can't afford chasing all those Possible. Give me Real Alerts please :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091102/d80c85b7/attachment.bin From wkitty42 at windstream.net Mon Nov 2 21:55:28 2009 From: wkitty42 at windstream.net (waldo kitty) Date: Mon, 02 Nov 2009 21:55:28 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <1257208461.83224.6.camel@localhost> References: <4AEEEA38.3040109@packetmail.net> <1257208461.83224.6.camel@localhost> Message-ID: <4AEF9BA0.9050205@windstream.net> Frank Knobbe wrote: > Well, what you will be matching are possible download requests of the > malware. To be honest, I'm getting a bit concerned that we're adding a > lot of sigs of Possible This, Possible That. Instead of matching > download attempts we should be matching traffic that the malware > actually generates when SUCCESSFULLY installed. I think the value of the > signature set is decreasing by all these Possible sigs. on the one hand, i agree... on the other hand, i don't want the friggin' things to get installed on any machines connected to my network(s)... much better to cut them off at the pass before they get a chance to get into town and get holed up somewheres ;) From evilghost at packetmail.net Mon Nov 2 23:00:56 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 2 Nov 2009 22:00:56 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <1257208461.83224.6.camel@localhost> References: <4AEEEA38.3040109@packetmail.net> <1257208461.83224.6.camel@localhost> Message-ID: <4AEFAAF8.3040907@packetmail.net> I disagree. The Gemini sig, we see on a daily basis, and we catch *downloads*. Programmatic download is sig-worthy IMHO since it means exploitation was a vector. Our hands our tied with regard to detection capability -- we don't have a viable method for programmatic analysis of obfuscated JavaScript. I'd rather sig a *possible* download to have it match later on than zero-potential of detection because we're hiding under an umbrella of pseudo-performance gains by not having a signature. Gemini, they've ramped up in the last week. We're seeing fast-flux and multiple FQDNs. Frank, if you have craft a system that only alerts me on positive infection/download while at the same time avoid gross false negatives just let me know where to send the check, of course in doing so you'll obsolete a fair amount of IDS/IPS in the process :) -evilghost Frank Knobbe wrote: > On Mon, 2009-11-02 at 08:18 -0600, evilghost at packetmail.net wrote: > >> I really like getting this list. Based on the list below, it looks like >> we can likely sig with some confidence the pepsi redirect, possibly the >> installer.exe stuff too. Case-sensitive matching intentionally to avoid >> false positives. >> > > Well, what you will be matching are possible download requests of the > malware. To be honest, I'm getting a bit concerned that we're adding a > lot of sigs of Possible This, Possible That. Instead of matching > download attempts we should be matching traffic that the malware > actually generates when SUCCESSFULLY installed. I think the value of the > signature set is decreasing by all these Possible sigs. > > In my repo, I'll be soon starting my own category/rulesfile for Possible > stuff that I can activate on research sensors but not production sensors > where I can't afford to spend a lot of time chasing FPs. (I just had too > many cases where we got alerts but malware didn't get installed, so the > whole run-around was useless. I mean, it's good to check that nothing > got installed, but geesh, with my user population, I just can't afford > chasing all those Possible. Give me Real Alerts please :) > > -Frank > > From kevross33 at googlemail.com Tue Nov 3 06:35:06 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 3 Nov 2009 11:35:06 +0000 Subject: [Emerging-Sigs] SIG:Altiris ConsoleUtilities ActiveX Buffer Overflow Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; classtype:attempted-user; reference:url, www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url, sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; sid:140000001; rev:1;) Tested and working, Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091103/e9ed4eb2/attachment.html From jonkman at jonkmans.com Tue Nov 3 08:11:05 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 08:11:05 -0500 Subject: [Emerging-Sigs] SIG:Altiris ConsoleUtilities ActiveX Buffer Overflow In-Reply-To: References: Message-ID: <4AF02BE9.8010405@jonkmans.com> Posted! Kevin Ross wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX > Control BrowseAndSaveFile Method Buffer Overflow Attempt"; > flow:established,from_server; content:"clsid"; nocase; > content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; > content:"BrowseAndSaveFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; > classtype:attempted-user; > reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 > ; > reference:url,www.securityfocus.com/bid/36698/info > ; > reference:url,sotiriu.de/adv/NSOADV-2009-001.txt > ; reference:cve,2009-3031; > sid:140000001; rev:1;) > > Tested and working, > Kev > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 3 08:41:27 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 08:41:27 -0500 Subject: [Emerging-Sigs] Proposed Signature, ET Policy Windows 7 In-Reply-To: <4AEF62F8.2020302@packetmail.net> References: <4AEF4BF9.3070608@packetmail.net> <20091102221312.GA49046@b2.datasieve.net> <4AEF62F8.2020302@packetmail.net> Message-ID: <4AF03307.2000608@jonkmans.com> Posted but off by default. Thanks! Matt evilghost at packetmail.net wrote: > Odd, that's what it was originally. It's now > http://www.microsoft.com/windows/windows-7/default.aspx (really, was > .mspx, not a typo.) > > Thanks. > > Gregory W. MacPherson wrote: >> Actually, that mspx URL doesn't appear to be active - >> >> server% telnet www.microsoft.com 80 >> Trying 65.55.21.250... >> Connected to lb1.www.ms.akadns.net. >> Escape character is '^]'. >> GET /windows/windows-7/default.mspx HTTP/1.0 >> >> HTTP/1.1 200 OK >> Cache-Control: private >> Content-Type: text/html; charset=utf-8 >> Server: Microsoft-IIS/7.5 >> Set-Cookie: >> .ASPXANONYMOUS=74cPUZuSygEkAAAAMTgwM2IwZDAtOTBhNi00YWExLWExNzQtMTRhODE0YjM0YTA2cA5trsgZsIuhkGDmpw1jFkxsdw41; >> expires=Mon, 11-Jan-2010 08:51:51 GMT; path=/; HttpOnly >> X-AspNet-Version: 2.0.50727 >> P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo >> OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" >> X-Powered-By: ASP.NET >> Date: Mon, 02 Nov 2009 22:11:51 GMT >> Connection: keep-alive >> Content-Length: 124 >> >> > content="0;url=http://www.microsoft.com/err/windows/windows-7/default">Connection >> closed by foreign host. >> >> You might want to double check that URL. >> >> -- Greg >> >> On or about 2009.11.02 15:15:37 +0000, evilghost at packetmail.net (evilghost at packetmail.net) said: >> >> >>> While not really a direct security concern there are some organizations >>> which strictly control version upgrades/permitted OSes on the network. >>> I propose the below ET POLICY signature for Windows 7. >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY >>> Microsoft Windows 7 User-Agent detected"; flow:established,to_server; >>> content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; >>> content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; >>> threshold:type limit, track by_src, seconds 60, count 1; >>> reference:url,www.microsoft.com/windows/windows-7/default.mspx; >>> classtype:policy-violation; sid:2009xxxx; rev:1;) >>> >>> -evilghost >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 3 08:47:32 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 08:47:32 -0500 Subject: [Emerging-Sigs] SIG:Cherokee Web Server GET AUX DOS In-Reply-To: References: <4AEF3B8C.1090105@jonkmans.com> Message-ID: <4AF03474.4020005@jonkmans.com> I was thinking to avoid false positives, but nocase works as well. Posting now, please report any false positives. Matt Kevin Ross wrote: > No idea, I think it isn't but a nocase doesn't hurt I suppose. I think I > have matched the vulnerability ok. the one thing that got me was the > variable (as my perl isn't too extensive) it was a line like GET > /".$BADTHING." HTTP/1.1. Now the bad thing was the get request for the > AUX. However, I am unsure whether the . on either side is perl or > related to the vulnerability. like should it become GET |2F 2E|AUX|2E| > HTTP|2F|1|2E| ? I know the quotations are for the variable (which is > what also adds credence to not being case sensitive as it is variable > where it is the AUX get request which is what causes the crash, only > reason I can think of it being variable is case). > > 2009/11/2 Matt Jonkman > > > Is the vulnerability case sensitive? > > Matt > > Kevin Ross wrote: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > > WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of > > Service Attempt"; flow:established,to_server; content:"GET |2F|AUX > > HTTP|2F|1|2E|"; nocase; depth:16; classtype:attempted-dos; > > reference:url,securitytracker.com/alerts/2009/Oct/1023095.html > > > ; > > reference:url,www.securityfocus.com/bid/36814/info > > > ; > > reference:url,www.securityfocus.com/archive/1/507456 > > > ; sid:1100001; rev:1;) > > > > Simple sig for this. Comments anyone? > > > > Kev > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 3 09:12:30 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 09:12:30 -0500 Subject: [Emerging-Sigs] Opachki sig In-Reply-To: <6116b9e20911021258u45e0876ci8fd6cbfcd1d8af76@mail.gmail.com> References: <839aec700910311301v34facdcase2aa24f4b831e67d@mail.gmail.com> <6116b9e20911020747l75cb53ebv1007b813d54dc506@mail.gmail.com> <4AEF3885.7020100@jonkmans.com> <6116b9e20911021258u45e0876ci8fd6cbfcd1d8af76@mail.gmail.com> Message-ID: <4AF03A4E.9080809@jonkmans.com> Very interesting! Anyone have the time to performance test this real quick? I'm afraid this could be an unexpected load... Matt Mike Cox wrote: > Hmmm, that could work. Check out > http://www.iana.org/assignments/http-parameters and chew on this: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Opachki Link Hijacker HTTP Header Injection"; > flow:established,to_server; content:"Accept-Encoding: "; http_header; > nocase; content:!"Accept-Encoding: gzip"; http_header; nocase; > content:!"Accept-Encoding: deflate"; http_header; nocase; > content:!"Accept-Encoding: compress"; http_header; nocase; > content:!"Accept-Encoding: |2a|"; http_header; nocase; > content:!"Accept-Encoding: exi"; http_header; nocase; > content:!"Accept-Encoding: identity"; http_header; nocase; > content:!"Accept-Encoding: pack200-gzip"; http_header; nocase; > pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > ; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > ; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > ; > reference:url,http://www.iana.org/assignments/http-parameters; > sid:XXXXXXX; rev:2;) > > Mike Cox > > On Mon, Nov 2, 2009 at 1:52 PM, Matt Jonkman > wrote: > > Ya, that'd be too high a load as is I think. > > Maybe we could try excluding normal encodings? Like gzip, etc? Is there > a small enough subset to do so? > > Matt > > Mike Cox wrote: > > You can also detect the injected request: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > > Opachki Link Hijacker HTTP Header Injection"; > > flow:established,to_server; content:"Accept-Encoding: "; http_header; > > nocase; pcre:"/\x0d\x0aAccept-Encoding: ([a-z0-9])\1{2,}/i"; > > classtype:trojan-activity; > > > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > > > ; > > > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > > > > ; > > > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > > > > >; > > sid:XXXXXXX; rev:1;) > > > > The only problem is the pcre is checked for any HTTP request with an > > Accept-Encoding header with is most of them. I cannot really > think of a > > more efficient way to detect it although I'm open to suggestions. > > > > Mike Cox > > > > On Sat, Oct 31, 2009 at 2:01 PM, Darren Spruell > > > >> wrote: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN > > Opachki Link Hijacker Traffic Redirection"; > > flow:established,to_server; uricontent:"/?do=rphp"; nocase; > > uricontent:"&sub="; nocase; uricontent:"&b="; nocase; > > uricontent:"&q="; nocase; uricontent:"&orig="; nocase; > > classtype:trojan-activity; > > > reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki > > > > ; > > > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A > > > > ; > > > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 > > > > >; > > sid:XXXXXXX; rev:1;) > > > > Outstanding analysis/writeup from SecureWorks. > > > > -- > > Darren Spruell > > phatbuckett at gmail.com > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 3 09:22:08 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 09:22:08 -0500 Subject: [Emerging-Sigs] antispam sids In-Reply-To: <4AEBA763.9040109@packetmail.net> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> Message-ID: <4AF03C90.8080104@jonkmans.com> 1. What's a codpiece and why would you punch it? 2. I agree. And speaking to all the comments on this thread: The spam sigs are really only good if you're blocking. If you don't or can't block they'll just be noise. I totally agree with greylisting (45 sec delay style). Drops a large portion of the crap. But blocking, that drops even more. I don't exactly know how to solve the balance issue. As many need these as there are that can't act upon the information so it's just noise. Thoughts? Matt evilghost at packetmail.net wrote: > My two cents, I've yet to see ANY Snort/IDS rule provide any meaningful > anti-spam value. If anything, with regard to processing power, the > converse is true. Sure, I may be apt to be proven wrong but this new > anti-spam drive (not just on ET) has me punching my codpiece. > > Delay 45 seconds after MAIL FROM/RCPT TO and see how much nonsense you drop. > > SPAM != Security. If you haven't published SPF/DKIM/DomainKeys for your > mail-receiving domain then you should not be allowed to propose > anti-spam solutions :) (Not directed any anyone on the ET list, or > anyone specific). > > PS: Waldo, I think I've seen you on DSLR. > > waldo kitty wrote: >> mex wrote: >> >>> why should i have a rule to detect stuff, >>> that mostly is rejected by the mtas? >>> >> to take the "pressure" off of the MTAs ;) >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From wkitty42 at windstream.net Tue Nov 3 11:01:12 2009 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 03 Nov 2009 11:01:12 -0500 Subject: [Emerging-Sigs] antispam sids In-Reply-To: <4AF03C90.8080104@jonkmans.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> Message-ID: <4AF053C8.8030507@windstream.net> Matt Jonkman wrote: > 1. What's a codpiece and why would you punch it? > > 2. I agree. And speaking to all the comments on this thread: > > The spam sigs are really only good if you're blocking. If you don't or > can't block they'll just be noise. > > I totally agree with greylisting (45 sec delay style). Drops a large > portion of the crap. But blocking, that drops even more. i agree on the live blocking... it is what i do and what the app i maintain does :) > I don't exactly know how to solve the balance issue. As many need these > as there are that can't act upon the information so it's just noise. > > Thoughts? stuff these into another file group that can be easily turned on and off (used or not) in the conf file... if there are some in that group that are needed and others that are not, oinkmaster can disable a list of those... just make sure to fix up the "ET CLASS" starting portion of the alert text ;) From pepperjack at afferentsecurity.com Tue Nov 3 12:00:12 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 03 Nov 2009 11:00:12 -0600 Subject: [Emerging-Sigs] antispam sids In-Reply-To: <4AF03C90.8080104@jonkmans.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> Message-ID: <20091103110012.4el8ffcfco88cssg@mail.afferentsecurity.com> Quoting Matt Jonkman : > I don't exactly know how to solve the balance issue. As many need these > as there are that can't act upon the information so it's just noise. > Thoughts? What is THIS?!!? The voice of rationality and reason?!? This is a newsgroup. I want flame!!! Muhahaha jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Tue Nov 3 15:04:15 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 03 Nov 2009 14:04:15 -0600 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <4AF03C90.8080104@jonkmans.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> Message-ID: <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> Attached is a spreadsheet with the results of the first week after blocking any IP address that sent me more than one DHL or facebook_password spam. On 10/22 I started doing a 24hr perimeter drop on any outside server that sent me more than one DHL or facebook_password spam. the total ingest was reduced by about 5%. not impressive. but every single one of those would have gone to spamassassin for processing. So since we were already eliminating 75% of the ingest before spamassassin even gets it, that 5% reduction of the ingest becomes about a 12% reduction of the load going to spamassassin. I intend to keep tweaking on this to see if there is a worthwhile case for expanding SPAM sigs into "24hr Drop" sigs. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From frank at knobbe.us Tue Nov 3 15:05:43 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Nov 2009 14:05:43 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4AEFAAF8.3040907@packetmail.net> References: <4AEEEA38.3040109@packetmail.net> <1257208461.83224.6.camel@localhost> <4AEFAAF8.3040907@packetmail.net> Message-ID: <1257278743.84458.16.camel@localhost> On Mon, 2009-11-02 at 22:00 -0600, evilghost at packetmail.net wrote: > I disagree. The Gemini sig, we see on a daily basis, and we catch > *downloads*. Programmatic download is sig-worthy IMHO since it means > exploitation was a vector. Our hands our tied with regard to detection > capability -- we don't have a viable method for programmatic analysis of > obfuscated JavaScript. I'd rather sig a *possible* download to have it > match later on than zero-potential of detection because we're hiding > under an umbrella of pseudo-performance gains by not having a signature. I hear ya, but it sounds like your turning the IDS into a web filter :) I think there are better tools to filter out malicious downloads. (And yes, to detect malicious domains, the sig is useful. As I said, for research it's great, but I question the value in production) > Frank, if you have craft a system that only alerts me on positive > infection/download while at the same time avoid gross false negatives > just let me know where to send the check, of course in doing so you'll > obsolete a fair amount of IDS/IPS in the process :) Positive infection is detected with signatures that match traffic from infected machines. :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091103/ac7a1182/attachment.bin From frank at knobbe.us Tue Nov 3 15:07:10 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Nov 2009 14:07:10 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4AEF9BA0.9050205@windstream.net> References: <4AEEEA38.3040109@packetmail.net> <1257208461.83224.6.camel@localhost> <4AEF9BA0.9050205@windstream.net> Message-ID: <1257278830.84458.18.camel@localhost> On Mon, 2009-11-02 at 21:55 -0500, waldo kitty wrote: > on the one hand, i agree... on the other hand, i don't want the friggin' things > to get installed on any machines connected to my network(s)... much better to > cut them off at the pass before they get a chance to get into town and get holed > up somewheres ;) But that's the point. It's only a possible download. It doesn't guarantee installation of it. -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091103/39d1ff2b/attachment.bin From emerging at emergingthreats.net Tue Nov 3 16:00:13 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 3 Nov 2009 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091103210013.9F00D4502E@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Nov 3 16:00:13 2009 [***] [+++] Added rules: [+++] 2010227 - ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt (emerging-web_client.rules) 2010228 - ET POLICY Microsoft Windows 7 User-Agent detected (emerging-policy.rules) 2010229 - ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt (emerging-web_server.rules) 2010230 - ET TROJAN W32.Koblu (emerging-virus.rules) 2010231 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010232 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010233 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010234 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010235 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010236 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010237 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010238 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010239 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) [///] Modified active rules: [///] 2008737 - ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin (emerging-virus.rules) 2008738 - ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related (emerging-virus.rules) 2008739 - ET TROJAN Conficker/MS08-067 Worm Traffic Outbound (emerging-virus.rules) 2010121 - ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection (emerging-web_specific_apps.rules) 2010122 - ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection (emerging-web_specific_apps.rules) 2010123 - ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010124 - ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010125 - ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010126 - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010127 - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion (emerging-web_specific_apps.rules) 2010129 - ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) (emerging-user_agents.rules) 2010130 - ET USER_AGENTS Suspicious HTTP Request with empty User Agent (emerging-user_agents.rules) 2010131 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010132 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010133 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010134 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010135 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010136 - ET USER_AGENTS Suspicious User-Agent (asp2009) (emerging-user_agents.rules) 2010137 - ET USER_AGENTS Suspicious User-Agent (Sme32) (emerging-user_agents.rules) 2010138 - ET TROJAN Possible Win32/Agent.QBY CnC Post (emerging-virus.rules) 2010139 - ET P2P Vuze BT Connection (emerging-p2p.rules) 2010140 - ET P2P Vuze BT UDP Connection (emerging-p2p.rules) 2010141 - ET P2P Vuze BT UDP Connection (2) (emerging-p2p.rules) 2010142 - ET P2P Vuze BT UDP Connection (3) (emerging-p2p.rules) 2010143 - ET P2P Vuze BT UDP Connection (4) (emerging-p2p.rules) 2010144 - ET P2P Vuze BT UDP Connection (5) (emerging-p2p.rules) 2010145 - ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010146 - ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010147 - ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010148 - ET CURRENT_EVENTS DHL Spam Inbound (emerging-current_events.rules) 2010149 - ET TROJAN Koobface HTTP Request (emerging-virus.rules) 2010150 - ET TROJAN Koobface HTTP Request (2) (emerging-virus.rules) 2010151 - ET TROJAN Koobface C&C availability check (emerging-virus.rules) 2010152 - ET TROJAN Koobface C&C availability check successful (emerging-virus.rules) 2010153 - ET TROJAN Koobface fetch C&C command detected (emerging-virus.rules) 2010154 - ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt (emerging-web_client.rules) 2010155 - ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt (emerging-web_client.rules) 2010156 - ET GAMES Alien Arena 7.30 Remote Code Execution Attempt (emerging-game.rules) 2010157 - ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) (emerging-user_agents.rules) 2010158 - ET TROJAN Nanspy Bot Checkin (emerging-virus.rules) 2010159 - ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt (emerging-web_server.rules) 2010160 - ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt (emerging-web_client.rules) 2010161 - ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt (emerging-web_client.rules) 2010162 - ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt (emerging-web_server.rules) 2010163 - ET TROJAN Glacial Dracon C&C Communication (emerging-virus.rules) 2010164 - ET TROJAN Daonol C&C Communication (emerging-virus.rules) 2010165 - ET TROJAN Tibs/Harnig Downloader Activity (emerging-virus.rules) 2010166 - ET CURRENT_EVENTS Facebook Spam Inbound (emerging-current_events.rules) 2010167 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt (emerging-web_specific_apps.rules) 2010168 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010169 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010170 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010171 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010172 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010173 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010174 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt (emerging-web_specific_apps.rules) 2010175 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt (emerging-web_specific_apps.rules) 2010176 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt (emerging-web_specific_apps.rules) 2010177 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt (emerging-web_specific_apps.rules) 2010178 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010179 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010180 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010181 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010182 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010183 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010184 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010185 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010186 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010187 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010188 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010189 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010190 - ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call (emerging-web_client.rules) 2010191 - ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010192 - ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010193 - ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010194 - ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal (emerging-web_specific_apps.rules) 2010195 - ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection (emerging-web_specific_apps.rules) 2010196 - ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010197 - ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010198 - ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010199 - ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution (emerging-web_specific_apps.rules) 2010200 - ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010201 - ET TROJAN Silon Encrypted Data POST to C&C (emerging-virus.rules) 2010202 - ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt (emerging-web_client.rules) 2010203 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt (emerging-web_client.rules) 2010204 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt (emerging-web_client.rules) 2010205 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt (emerging-web_client.rules) 2010206 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt (emerging-web_client.rules) 2010207 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt (emerging-web_client.rules) 2010208 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt (emerging-web_client.rules) 2010209 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt (emerging-web_client.rules) 2010210 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt (emerging-web_client.rules) 2010211 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt (emerging-web_client.rules) 2010212 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt (emerging-web_client.rules) 2010214 - ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (emerging-scan.rules) 2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin (emerging-virus.rules) 2010218 - ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) (emerging-user_agents.rules) 2010219 - ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt (emerging-web_client.rules) 2010220 - ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) (emerging-user_agents.rules) 2010221 - ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) (emerging-virus.rules) 2010222 - ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi (emerging-current_events.rules) 2010223 - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010224 - ET TROJAN Opachki Link Hijacker Traffic Redirection (emerging-virus.rules) 2010225 - ET TROJAN Palevo/BFBot/Mariposa client join attempt (emerging-virus.rules) 2010226 - ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #by anon 4 -> Added to emerging-sid-msg.map (261): 2008737 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008739 2010121 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Xoops || url,doc.emergingthreats.net/2010121 || url,xforce.iss.net/xforce/xfdb/51985 || url,milw0rm.com/exploits/9249 2010122 || ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010122 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010123 || ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010123 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010124 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010124 || url,milworm.com/exploits/9284 || bugtraq,26747 2010125 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010125 || url,milworm.com/exploits/9284 || bugtraq,26747 2010126 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010126 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010127 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010127 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010129 || ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010129 2010130 || ET USER_AGENTS Suspicious HTTP Request with empty User Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010130 2010131 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010131 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010132 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010132 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010133 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010133 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010134 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010134 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010135 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010135 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010136 || ET USER_AGENTS Suspicious User-Agent (asp2009) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_asp2009 || url,doc.emergingthreats.net/2010136 || url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b 2010137 || ET USER_AGENTS Suspicious User-Agent (Sme32) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010137 2010138 || ET TROJAN Possible Win32/Agent.QBY CnC Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General || url,doc.emergingthreats.net/2010138 || url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63 2010139 || ET P2P Vuze BT Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010139 || url,vuze.com 2010140 || ET P2P Vuze BT UDP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010140 || url,vuze.com 2010141 || ET P2P Vuze BT UDP Connection (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010141 || url,vuze.com 2010142 || ET P2P Vuze BT UDP Connection (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010142 2010143 || ET P2P Vuze BT UDP Connection (4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010143 2010144 || ET P2P Vuze BT UDP Connection (5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010144 || url,vuze.com 2010145 || ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010145 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010146 || ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Apache_Tomcatmgr || url,doc.emergingthreats.net/2010146 || cve,2008-1947 || url,www.securityfocus.com/bid/29502/info 2010147 || ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bloofox || url,doc.emergingthreats.net/2010147 || url,www.securityfocus.com/bid/36700/info 2010148 || ET CURRENT_EVENTS DHL Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010148 2010149 || ET TROJAN Koobface HTTP Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010149 || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010150 || ET TROJAN Koobface HTTP Request (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010150 || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010151 || ET TROJAN Koobface C&C availability check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010151 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010152 || ET TROJAN Koobface C&C availability check successful || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010152 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010153 || ET TROJAN Koobface fetch C&C command detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010153 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010154 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC || url,doc.emergingthreats.net/2010154 || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010155 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC || url,doc.emergingthreats.net/2010155 || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010156 || ET GAMES Alien Arena 7.30 Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_AlienArena || url,doc.emergingthreats.net/2010156 || url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt 2010157 || ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Nanspy || url,doc.emergingthreats.net/bin/view/Main/2010157 2010158 || ET TROJAN Nanspy Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nanspy || url,doc.emergingthreats.net/2010158 2010159 || ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_3Com || url,doc.emergingthreats.net/2010159 || url,www.securityfocus.com/bid/36722/info || url,www.securityfocus.com/archive/1/507263 || url,securitytracker.com/alerts/2009/Oct/1023051.html 2010160 || ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL || url,doc.emergingthreats.net/2010160 || url,www.securityfocus.com/bid/35028 || url,www.milw0rm.org/exploits/8733 2010161 || ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_eDraw || url,doc.emergingthreats.net/2010161 || url,www.milw0rm.org/exploits/8986 2010162 || ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Juniper || url,doc.emergingthreats.net/2010162 || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05 || url,seclists.org/bugtraq/2009/Apr/242 || url,www.securityfocus.com/bid/34710 || url,securitytracker.com/alerts/2009/Apr/1022123.html 2010163 || ET TROJAN Glacial Dracon C&C Communication || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Glacial || url,doc.emergingthreats.net/2010163 || url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46 || url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d 2010164 || ET TROJAN Daonol C&C Communication || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daonol || url,doc.emergingthreats.net/2010164 || url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html || url,www.iss.net/threats/gumblar.html || url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol 2010165 || ET TROJAN Tibs/Harnig Downloader Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs || url,doc.emergingthreats.net/2010165 || url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig 2010166 || ET CURRENT_EVENTS Facebook Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010166 2010167 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010167 || url,www.securityfocus.com/bid/36741/ 2010168 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010168 || url,www.securityfocus.com/bid/36741/ 2010169 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010169 || url,www.securityfocus.com/bid/36741/ 2010170 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010170 || url,www.securityfocus.com/bid/36741/ 2010171 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010171 || url,www.securityfocus.com/bid/36741/ 2010172 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010172 || url,www.securityfocus.com/bid/36741/ 2010173 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010173 || url,www.securityfocus.com/bid/36741/ 2010174 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010174 || url,www.securityfocus.com/bid/36741/ 2010175 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010175 || url,www.securityfocus.com/bid/36741/ 2010176 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010176 || url,www.securityfocus.com/bid/36741/ 2010177 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010177 || url,www.securityfocus.com/bid/36741/ 2010178 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010178 || url,www.securityfocus.com/bid/36741/ 2010179 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010179 || url,www.securityfocus.com/bid/36741/ 2010180 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010180 || url,www.securityfocus.com/bid/36741/ 2010181 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010181 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010182 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010182 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010183 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010183 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010184 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010184 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010185 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010185 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010186 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010186 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010187 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010187 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010188 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010188 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010189 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010189 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010190 || ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris || url,doc.emergingthreats.net/2010190 || url,secunia.com/advisories/36679 || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 2010191 || ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010191 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010192 || ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010192 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010193 || ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010193 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010194 || ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe || url,doc.emergingthreats.net/2010194 || url,www.vupen.com/english/advisories/2009/2285 || url,www.dsecrg.ru/pages/vul/show.php?id=152 2010195 || ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DoCMS || url,doc.emergingthreats.net/2010195 || url,packetstormsecurity.org/0908-exploits/dscms-sql.txt 2010196 || ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2Fly || url,doc.emergingthreats.net/2010196 || url,osvdb.org/show/osvdb/57136 || url,secunia.com/advisories/36294/ 2010197 || ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_KingCMS || url,doc.emergingthreats.net/2010197 || url,osvdb.org/show/osvdb/57688 2010198 || ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AutonomousLanParty || url,doc.emergingthreats.net/2010198 || url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt || url,secunia.com/advisories/36354 2010199 || ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Symantec || url,doc.emergingthreats.net/2010199 || url,osvdb.org/51410 || url,www.kb.cert.org/vuls/id/194505 2010200 || ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComputerAssociates || url,doc.emergingthreats.net/2010200 || url,www.securityfocus.com/bid/26375/info || cve,2007-5923 2010201 || ET TROJAN Silon Encrypted Data POST to C&C || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Silon || url,doc.emergingthreats.net/2010201 || url,www.trusteer.com/webform/w32silon-malware-analysis 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010203 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010203 || url,www.securityfocus.com/bid/36548 2010204 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010204 || url,www.securityfocus.com/bid/36548 2010205 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010205 || url,www.securityfocus.com/bid/36548 2010206 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010206 || url,www.securityfocus.com/bid/36548 2010207 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010207 || url,www.securityfocus.com/bid/36548 2010208 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010208 || url,www.securityfocus.com/bid/36548 2010209 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010209 || url,www.securityfocus.com/bid/36548 2010210 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010210 || url,www.securityfocus.com/bid/36548 2010211 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010211 || url,www.securityfocus.com/bid/36548 2010212 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010212 || url,www.securityfocus.com/bid/36548 2010214 || ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe || url,doc.emergingthreats.net/2010214 || url,securitytracker.com/alerts/2009/Aug/1022748.html || cve,2009-1879 2010215 || ET SCAN SQL Injection Attempt (Agent uil2pn) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_SQLScan || url,doc.emergingthreats.net/2010215 || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 2010217 || ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cbeplay || url,doc.emergingthreats.net/2010217 || url,www.secureworks.com/research/threats/ppi/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B 2010218 || ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Internet_Antivirus_Pro || url,doc.emergingthreats.net/2010218 2010219 || ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP || url,doc.emergingthreats.net/2010219 || url,www.securityfocus.com/bid/35256/info 2010220 || ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ClickAdsbyIE || url,doc.emergingthreats.net/2010220 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fakerean || url,doc.emergingthreats.net/2010221 || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010222 || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Mambo || url,doc.emergingthreats.net/2010223 || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Opachki || url,doc.emergingthreats.net/2010224 || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010225 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010226 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (261): 2008737 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008739 2010121 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Xoops || url,doc.emergingthreats.net/2010121 || url,xforce.iss.net/xforce/xfdb/51985 || url,milw0rm.com/exploits/9249 2010122 || ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010122 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010123 || ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010123 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010124 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010124 || url,milworm.com/exploits/9284 || bugtraq,26747 2010125 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010125 || url,milworm.com/exploits/9284 || bugtraq,26747 2010126 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010126 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010127 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010127 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010129 || ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010129 2010130 || ET USER_AGENTS Suspicious HTTP Request with empty User Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010130 2010131 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010131 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010132 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010132 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010133 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010133 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010134 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010134 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010135 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010135 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010136 || ET USER_AGENTS Suspicious User-Agent (asp2009) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_asp2009 || url,doc.emergingthreats.net/2010136 || url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b 2010137 || ET USER_AGENTS Suspicious User-Agent (Sme32) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010137 2010138 || ET TROJAN Possible Win32/Agent.QBY CnC Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General || url,doc.emergingthreats.net/2010138 || url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63 2010139 || ET P2P Vuze BT Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010139 || url,vuze.com 2010140 || ET P2P Vuze BT UDP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010140 || url,vuze.com 2010141 || ET P2P Vuze BT UDP Connection (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010141 || url,vuze.com 2010142 || ET P2P Vuze BT UDP Connection (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010142 2010143 || ET P2P Vuze BT UDP Connection (4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010143 2010144 || ET P2P Vuze BT UDP Connection (5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze || url,doc.emergingthreats.net/2010144 || url,vuze.com 2010145 || ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010145 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010146 || ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Apache_Tomcatmgr || url,doc.emergingthreats.net/2010146 || cve,2008-1947 || url,www.securityfocus.com/bid/29502/info 2010147 || ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bloofox || url,doc.emergingthreats.net/2010147 || url,www.securityfocus.com/bid/36700/info 2010148 || ET CURRENT_EVENTS DHL Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010148 2010149 || ET TROJAN Koobface HTTP Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010149 || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010150 || ET TROJAN Koobface HTTP Request (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010150 || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010151 || ET TROJAN Koobface C&C availability check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010151 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010152 || ET TROJAN Koobface C&C availability check successful || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010152 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010153 || ET TROJAN Koobface fetch C&C command detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koobface || url,doc.emergingthreats.net/2010153 || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010154 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC || url,doc.emergingthreats.net/2010154 || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010155 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EMC || url,doc.emergingthreats.net/2010155 || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010156 || ET GAMES Alien Arena 7.30 Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_AlienArena || url,doc.emergingthreats.net/2010156 || url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt 2010157 || ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Nanspy || url,doc.emergingthreats.net/bin/view/Main/2010157 2010158 || ET TROJAN Nanspy Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nanspy || url,doc.emergingthreats.net/2010158 2010159 || ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_3Com || url,doc.emergingthreats.net/2010159 || url,www.securityfocus.com/bid/36722/info || url,www.securityfocus.com/archive/1/507263 || url,securitytracker.com/alerts/2009/Oct/1023051.html 2010160 || ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_AOL || url,doc.emergingthreats.net/2010160 || url,www.securityfocus.com/bid/35028 || url,www.milw0rm.org/exploits/8733 2010161 || ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_eDraw || url,doc.emergingthreats.net/2010161 || url,www.milw0rm.org/exploits/8986 2010162 || ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Juniper || url,doc.emergingthreats.net/2010162 || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05 || url,seclists.org/bugtraq/2009/Apr/242 || url,www.securityfocus.com/bid/34710 || url,securitytracker.com/alerts/2009/Apr/1022123.html 2010163 || ET TROJAN Glacial Dracon C&C Communication || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Glacial || url,doc.emergingthreats.net/2010163 || url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46 || url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d 2010164 || ET TROJAN Daonol C&C Communication || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daonol || url,doc.emergingthreats.net/2010164 || url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html || url,www.iss.net/threats/gumblar.html || url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol 2010165 || ET TROJAN Tibs/Harnig Downloader Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs || url,doc.emergingthreats.net/2010165 || url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig 2010166 || ET CURRENT_EVENTS Facebook Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010166 2010167 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010167 || url,www.securityfocus.com/bid/36741/ 2010168 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010168 || url,www.securityfocus.com/bid/36741/ 2010169 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010169 || url,www.securityfocus.com/bid/36741/ 2010170 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010170 || url,www.securityfocus.com/bid/36741/ 2010171 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010171 || url,www.securityfocus.com/bid/36741/ 2010172 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010172 || url,www.securityfocus.com/bid/36741/ 2010173 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010173 || url,www.securityfocus.com/bid/36741/ 2010174 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010174 || url,www.securityfocus.com/bid/36741/ 2010175 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010175 || url,www.securityfocus.com/bid/36741/ 2010176 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010176 || url,www.securityfocus.com/bid/36741/ 2010177 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010177 || url,www.securityfocus.com/bid/36741/ 2010178 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010178 || url,www.securityfocus.com/bid/36741/ 2010179 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010179 || url,www.securityfocus.com/bid/36741/ 2010180 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Websense || url,doc.emergingthreats.net/2010180 || url,www.securityfocus.com/bid/36741/ 2010181 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010181 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010182 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010182 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010183 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010183 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010184 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_IBM || url,doc.emergingthreats.net/2010184 || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010185 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010185 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010186 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010186 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010187 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010187 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010188 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010188 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010189 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_QuickTeam || url,doc.emergingthreats.net/2010189 || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010190 || ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris || url,doc.emergingthreats.net/2010190 || url,secunia.com/advisories/36679 || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 2010191 || ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010191 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010192 || ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010192 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010193 || ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_justVisuals || url,doc.emergingthreats.net/2010193 || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010194 || ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe || url,doc.emergingthreats.net/2010194 || url,www.vupen.com/english/advisories/2009/2285 || url,www.dsecrg.ru/pages/vul/show.php?id=152 2010195 || ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DoCMS || url,doc.emergingthreats.net/2010195 || url,packetstormsecurity.org/0908-exploits/dscms-sql.txt 2010196 || ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2Fly || url,doc.emergingthreats.net/2010196 || url,osvdb.org/show/osvdb/57136 || url,secunia.com/advisories/36294/ 2010197 || ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_KingCMS || url,doc.emergingthreats.net/2010197 || url,osvdb.org/show/osvdb/57688 2010198 || ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AutonomousLanParty || url,doc.emergingthreats.net/2010198 || url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt || url,secunia.com/advisories/36354 2010199 || ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Symantec || url,doc.emergingthreats.net/2010199 || url,osvdb.org/51410 || url,www.kb.cert.org/vuls/id/194505 2010200 || ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComputerAssociates || url,doc.emergingthreats.net/2010200 || url,www.securityfocus.com/bid/26375/info || cve,2007-5923 2010201 || ET TROJAN Silon Encrypted Data POST to C&C || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Silon || url,doc.emergingthreats.net/2010201 || url,www.trusteer.com/webform/w32silon-malware-analysis 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010203 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010203 || url,www.securityfocus.com/bid/36548 2010204 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010204 || url,www.securityfocus.com/bid/36548 2010205 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010205 || url,www.securityfocus.com/bid/36548 2010206 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010206 || url,www.securityfocus.com/bid/36548 2010207 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010207 || url,www.securityfocus.com/bid/36548 2010208 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010208 || url,www.securityfocus.com/bid/36548 2010209 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010209 || url,www.securityfocus.com/bid/36548 2010210 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010210 || url,www.securityfocus.com/bid/36548 2010211 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010211 || url,www.securityfocus.com/bid/36548 2010212 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_BlackIce || url,doc.emergingthreats.net/2010212 || url,www.securityfocus.com/bid/36548 2010214 || ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe || url,doc.emergingthreats.net/2010214 || url,securitytracker.com/alerts/2009/Aug/1022748.html || cve,2009-1879 2010215 || ET SCAN SQL Injection Attempt (Agent uil2pn) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_SQLScan || url,doc.emergingthreats.net/2010215 || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 2010217 || ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cbeplay || url,doc.emergingthreats.net/2010217 || url,www.secureworks.com/research/threats/ppi/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B 2010218 || ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Internet_Antivirus_Pro || url,doc.emergingthreats.net/2010218 2010219 || ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_SAP || url,doc.emergingthreats.net/2010219 || url,www.securityfocus.com/bid/35256/info 2010220 || ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ClickAdsbyIE || url,doc.emergingthreats.net/2010220 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fakerean || url,doc.emergingthreats.net/2010221 || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010222 || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Mambo || url,doc.emergingthreats.net/2010223 || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Opachki || url,doc.emergingthreats.net/2010224 || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010225 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010226 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #anonymous writer, sent in by Russell Fulton, improved by jerry at cybercave -> Added to emerging-web_server.rules (1): #by kevin ross [---] Removed non-rule lines: [---] -> Removed from emerging-attack_response.rules (1): # $Id: emerging-attack_response.rules $ -> Removed from emerging-current_events.rules (1): # $Id: emerging-current_events.rules $ -> Removed from emerging-dos.rules (1): # $Id: emerging-dos.rules $ -> Removed from emerging-exploit.rules (1): # $Id: emerging-exploit.rules $ -> Removed from emerging-game.rules (1): # $Id: emerging-game.rules $ -> Removed from emerging-inappropriate.rules (1): # $Id: emerging-inappropriate.rules $ -> Removed from emerging-malware.rules (1): # $Id: emerging-malware.rules $ -> Removed from emerging-p2p.rules (1): # $Id: emerging-p2p.rules $ -> Removed from emerging-policy.rules (1): # $Id: emerging-policy.rules $ -> Removed from emerging-scan.rules (1): # $Id: emerging-scan.rules $ -> Removed from emerging-sid-msg.map (106): 2008737 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,doc.emergingthreats.net/bin/view/Main/2008739 2010121 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,xforce.iss.net/xforce/xfdb/51985 || url,milw0rm.com/exploits/9249 2010122 || ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010123 || ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010124 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || url,milworm.com/exploits/9284 || bugtraq,26747 2010125 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || url,milworm.com/exploits/9284 || bugtraq,26747 2010126 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010127 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010129 || ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) 2010130 || ET USER_AGENTS Suspicious HTTP Request with empty User Agent 2010131 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010132 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010133 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010134 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010135 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010136 || ET USER_AGENTS Suspicious User-Agent (asp2009) || url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b 2010137 || ET USER_AGENTS Suspicious User-Agent (Sme32) 2010138 || ET TROJAN Possible Win32/Agent.QBY CnC Post || url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63 2010139 || ET P2P Vuze BT Connection || url,vuze.com 2010140 || ET P2P Vuze BT UDP Connection || url,vuze.com 2010141 || ET P2P Vuze BT UDP Connection (2) || url,vuze.com 2010142 || ET P2P Vuze BT UDP Connection (3) 2010143 || ET P2P Vuze BT UDP Connection (4) 2010144 || ET P2P Vuze BT UDP Connection (5) || url,vuze.com 2010145 || ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010146 || ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt || cve,2008-1947 || url,www.securityfocus.com/bid/29502/info 2010147 || ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36700/info 2010148 || ET CURRENT_EVENTS DHL Spam Inbound 2010149 || ET TROJAN Koobface HTTP Request || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010150 || ET TROJAN Koobface HTTP Request (2) || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010151 || ET TROJAN Koobface C&C availability check || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010152 || ET TROJAN Koobface C&C availability check successful || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010153 || ET TROJAN Koobface fetch C&C command detected || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010154 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010155 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010156 || ET GAMES Alien Arena 7.30 Remote Code Execution Attempt || url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt 2010157 || ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) || url,doc.emergingthreats.net/bin/view/Main/2010157 2010158 || ET TROJAN Nanspy Bot Checkin 2010159 || ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt || url,www.securityfocus.com/bid/36722/info || url,www.securityfocus.com/archive/1/507263 || url,securitytracker.com/alerts/2009/Oct/1023051.html 2010160 || ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt || url,www.securityfocus.com/bid/35028 || url,www.milw0rm.org/exploits/8733 2010161 || ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt || url,www.milw0rm.org/exploits/8986 2010162 || ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05 || url,seclists.org/bugtraq/2009/Apr/242 || url,www.securityfocus.com/bid/34710 || url,securitytracker.com/alerts/2009/Apr/1022123.html 2010163 || ET TROJAN Glacial Dracon C&C Communication || url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46 || url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d 2010164 || ET TROJAN Daonol C&C Communication || url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html || url,www.iss.net/threats/gumblar.html || url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol 2010165 || ET TROJAN Tibs/Harnig Downloader Activity || url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig 2010166 || ET CURRENT_EVENTS Facebook Spam Inbound 2010167 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010168 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010169 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010170 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010171 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010172 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010173 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010174 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010175 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010176 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010177 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010178 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010179 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010180 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010181 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010182 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010183 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010184 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010185 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010186 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010187 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010188 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010189 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010190 || ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call || url,secunia.com/advisories/36679 || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 2010191 || ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010192 || ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010193 || ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010194 || ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal || url,www.vupen.com/english/advisories/2009/2285 || url,www.dsecrg.ru/pages/vul/show.php?id=152 2010195 || ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection || url,packetstormsecurity.org/0908-exploits/dscms-sql.txt 2010196 || ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection || url,osvdb.org/show/osvdb/57136 || url,secunia.com/advisories/36294/ 2010197 || ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion || url,osvdb.org/show/osvdb/57688 2010198 || ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion || url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt || url,secunia.com/advisories/36354 2010199 || ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution || url,osvdb.org/51410 || url,www.kb.cert.org/vuls/id/194505 2010200 || ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt || url,www.securityfocus.com/bid/26375/info || cve,2007-5923 2010201 || ET TROJAN Silon Encrypted Data POST to C&C || url,www.trusteer.com/webform/w32silon-malware-analysis 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010203 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010204 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010205 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010206 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010207 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010208 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt || url,www.securityfocus.com/bid/36548 2010209 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt || url,www.securityfocus.com/bid/36548 2010210 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt || url,www.securityfocus.com/bid/36548 2010211 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt || url,www.securityfocus.com/bid/36548 2010212 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt || url,www.securityfocus.com/bid/36548 2010214 || ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt || url,securitytracker.com/alerts/2009/Aug/1022748.html || cve,2009-1879 2010215 || ET SCAN SQL Injection Attempt (Agent uil2pn) || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 2010217 || ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin || url,www.secureworks.com/research/threats/ppi/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B 2010218 || ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) 2010219 || ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt || url,www.securityfocus.com/bid/35256/info 2010220 || ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement -> Removed from emerging-sid-msg.map.txt (106): 2008737 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,doc.emergingthreats.net/bin/view/Main/2008739 2010121 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,xforce.iss.net/xforce/xfdb/51985 || url,milw0rm.com/exploits/9249 2010122 || ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010123 || ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010124 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || url,milworm.com/exploits/9284 || bugtraq,26747 2010125 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || url,milworm.com/exploits/9284 || bugtraq,26747 2010126 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010127 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010129 || ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) 2010130 || ET USER_AGENTS Suspicious HTTP Request with empty User Agent 2010131 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010132 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010133 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010134 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010135 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010136 || ET USER_AGENTS Suspicious User-Agent (asp2009) || url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b 2010137 || ET USER_AGENTS Suspicious User-Agent (Sme32) 2010138 || ET TROJAN Possible Win32/Agent.QBY CnC Post || url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63 2010139 || ET P2P Vuze BT Connection || url,vuze.com 2010140 || ET P2P Vuze BT UDP Connection || url,vuze.com 2010141 || ET P2P Vuze BT UDP Connection (2) || url,vuze.com 2010142 || ET P2P Vuze BT UDP Connection (3) 2010143 || ET P2P Vuze BT UDP Connection (4) 2010144 || ET P2P Vuze BT UDP Connection (5) || url,vuze.com 2010145 || ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010146 || ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt || cve,2008-1947 || url,www.securityfocus.com/bid/29502/info 2010147 || ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36700/info 2010148 || ET CURRENT_EVENTS DHL Spam Inbound 2010149 || ET TROJAN Koobface HTTP Request || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010150 || ET TROJAN Koobface HTTP Request (2) || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html 2010151 || ET TROJAN Koobface C&C availability check || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010152 || ET TROJAN Koobface C&C availability check successful || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010153 || ET TROJAN Koobface fetch C&C command detected || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf 2010154 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010155 || ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,www.securityfocus.com/bid/36566/info 2010156 || ET GAMES Alien Arena 7.30 Remote Code Execution Attempt || url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt 2010157 || ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) || url,doc.emergingthreats.net/bin/view/Main/2010157 2010158 || ET TROJAN Nanspy Bot Checkin 2010159 || ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt || url,www.securityfocus.com/bid/36722/info || url,www.securityfocus.com/archive/1/507263 || url,securitytracker.com/alerts/2009/Oct/1023051.html 2010160 || ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt || url,www.securityfocus.com/bid/35028 || url,www.milw0rm.org/exploits/8733 2010161 || ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt || url,www.milw0rm.org/exploits/8986 2010162 || ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05 || url,seclists.org/bugtraq/2009/Apr/242 || url,www.securityfocus.com/bid/34710 || url,securitytracker.com/alerts/2009/Apr/1022123.html 2010163 || ET TROJAN Glacial Dracon C&C Communication || url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46 || url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d 2010164 || ET TROJAN Daonol C&C Communication || url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html || url,www.iss.net/threats/gumblar.html || url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol 2010165 || ET TROJAN Tibs/Harnig Downloader Activity || url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig 2010166 || ET CURRENT_EVENTS Facebook Spam Inbound 2010167 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010168 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010169 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010170 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010171 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010172 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010173 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010174 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010175 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010176 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010177 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010178 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010179 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010180 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ 2010181 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010182 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010183 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010184 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,www.securityfocus.com/bid/36721/info 2010185 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010186 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010187 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010188 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010189 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt 2010190 || ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call || url,secunia.com/advisories/36679 || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 2010191 || ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010192 || ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010193 || ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion || url,milw0rm.com/exploits/9308 || url,secunia.com/advisories/36072/ 2010194 || ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal || url,www.vupen.com/english/advisories/2009/2285 || url,www.dsecrg.ru/pages/vul/show.php?id=152 2010195 || ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection || url,packetstormsecurity.org/0908-exploits/dscms-sql.txt 2010196 || ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection || url,osvdb.org/show/osvdb/57136 || url,secunia.com/advisories/36294/ 2010197 || ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion || url,osvdb.org/show/osvdb/57688 2010198 || ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion || url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt || url,secunia.com/advisories/36354 2010199 || ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution || url,osvdb.org/51410 || url,www.kb.cert.org/vuls/id/194505 2010200 || ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt || url,www.securityfocus.com/bid/26375/info || cve,2007-5923 2010201 || ET TROJAN Silon Encrypted Data POST to C&C || url,www.trusteer.com/webform/w32silon-malware-analysis 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010203 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010204 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010205 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010206 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010207 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 2010208 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt || url,www.securityfocus.com/bid/36548 2010209 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt || url,www.securityfocus.com/bid/36548 2010210 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt || url,www.securityfocus.com/bid/36548 2010211 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt || url,www.securityfocus.com/bid/36548 2010212 || ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt || url,www.securityfocus.com/bid/36548 2010214 || ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt || url,securitytracker.com/alerts/2009/Aug/1022748.html || cve,2009-1879 2010215 || ET SCAN SQL Injection Attempt (Agent uil2pn) || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 2010217 || ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin || url,www.secureworks.com/research/threats/ppi/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B 2010218 || ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) 2010219 || ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt || url,www.securityfocus.com/bid/35256/info 2010220 || ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) 2010221 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss 2010222 || ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi || url,malwareurl.com 2010223 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,www.securityfocus.com/bid/29716/info 2010224 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.secureworks.com/research/threats/opachki/?threat=opachki 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement -> Removed from emerging-user_agents.rules (1): # $Id: emerging-user_agents.rules $ -> Removed from emerging-virus.rules (2): # $Id: emerging-virus.rules $ #anonymous writer, sent in by Russell Fulton -> Removed from emerging-voip.rules (1): # $Id: emerging-voip.rules $ -> Removed from emerging-web.rules (1): # $Id: emerging-web.rules $ -> Removed from emerging-web_client.rules (1): # $Id: emerging-web_client.rules $ -> Removed from emerging-web_server.rules (1): # $Id: emerging-web-server.rules $ -> Removed from emerging-web_specific_apps.rules (1): # $Id: emerging-web_specific_apps.rules $ -> Removed from emerging-web_sql_injection.rules (1): # $Id: emerging-web_sql_injection.rules $ -> Removed from emerging.rules (1): # $Id: emerging.rules $ From wkitty42 at windstream.net Tue Nov 3 17:06:06 2009 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 03 Nov 2009 17:06:06 -0500 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> Message-ID: <4AF0A94E.5040703@windstream.net> Jack Pepper wrote: > I intend to keep tweaking on this to see if there is a worthwhile case > for expanding SPAM sigs into "24hr Drop" sigs. what "priority" level are these alerts? 1, 2, 3 ?? From wkitty42 at windstream.net Tue Nov 3 17:09:32 2009 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 03 Nov 2009 17:09:32 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <1257278830.84458.18.camel@localhost> References: <4AEEEA38.3040109@packetmail.net> <1257208461.83224.6.camel@localhost> <4AEF9BA0.9050205@windstream.net> <1257278830.84458.18.camel@localhost> Message-ID: <4AF0AA1C.7030008@windstream.net> Frank Knobbe wrote: > On Mon, 2009-11-02 at 21:55 -0500, waldo kitty wrote: >> on the one hand, i agree... on the other hand, i don't want the friggin' things >> to get installed on any machines connected to my network(s)... much better to >> cut them off at the pass before they get a chance to get into town and get holed >> up somewheres ;) > > But that's the point. It's only a possible download. It doesn't > guarantee installation of it. agreed... but some of us don't want any contact with machines distributing muckware or participating in any attacks at all... their first attempt is their last within a set time period after which they may try again which could result in another block... From pepperjack at afferentsecurity.com Tue Nov 3 17:19:50 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 03 Nov 2009 16:19:50 -0600 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <4AF0A94E.5040703@windstream.net> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> <4AF0A94E.5040703@windstream.net> Message-ID: <20091103161950.tvg4hn4s0s4kcc0w@mail.afferentsecurity.com> Quoting waldo kitty : > Jack Pepper wrote: >> I intend to keep tweaking on this to see if there is a worthwhile >> case for expanding SPAM sigs into "24hr Drop" sigs. > > what "priority" level are these alerts? 1, 2, 3 ?? I don't know what you mean by that. The sids I used for the pilot were 2010148 and 2010166. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From frank at knobbe.us Tue Nov 3 17:26:48 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Nov 2009 16:26:48 -0600 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> Message-ID: <1257287208.84458.47.camel@localhost> On Tue, 2009-11-03 at 14:04 -0600, Jack Pepper wrote: > I intend to keep tweaking on this to see if there is a worthwhile case > for expanding SPAM sigs into "24hr Drop" sigs. I had done that a couple years ago. Blocked a massive amount of spam attempts. Didn't seem to make much of a difference, and I reverted to selectively filter with RBLDNS on the MTA before it's accepted and fed to SpamAssassin. I have much better success with that. Even with 20000+ on the block list, it didn't make much of a dent. While my new iteration of Snortsam is able to handle millions of blocked IP's, I'm still not convinced it's useful for spam. Instead, I'm using the country based RBLDNS lookups to just cut out email from all annoying countries (although an SMTP block by country would be just as effective). That approach yields much better results. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091103/bf0d4864/attachment.bin From scheidell at secnap.net Tue Nov 3 17:32:52 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Tue, 03 Nov 2009 17:32:52 -0500 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> Message-ID: <4AF0AF94.4080702@secnap.net> Jack Pepper wrote: > Attached is a spreadsheet with the results of the first week after > blocking any IP address that sent me more than one DHL or > facebook_password spam. > > On 10/22 I started doing a 24hr perimeter drop on any outside server > that sent me more than one DHL or facebook_password spam. > > it its a 'legit' mail server forwarding the spam, it could requeue it up for the next 5 days. email should be handled via SMTP. a good 551 5.7.1 Go Away and you only have to do it once, at smtp level, costs you all of about 50 bytes. _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From frank at knobbe.us Tue Nov 3 18:24:21 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Nov 2009 17:24:21 -0600 Subject: [Emerging-Sigs] Dropped packets Message-ID: <1257290661.84458.55.camel@localhost> Anyone noticed an increase in dropped packets lately? Looks like we may have some recently added sigs that are hogs. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091103/bb6c537b/attachment.bin From evilghost at packetmail.net Tue Nov 3 18:47:24 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 3 Nov 2009 17:47:24 -0600 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV Message-ID: <4AF0C10C.70105@packetmail.net> I've tried to get this message through now four times, so this is my final try, I've stripped the PCAP ASCII decodes. Now you'll just have to take my word for it that these signatures match well and the rationale behind their construction was valid. Matt, no idea why this is happening. The message was also sent to you and Frank directly. My MTA logs show the messages being delivered to the list just fine. We are seeing an increase in the 'fake AV' style, here is the secondary check-in with download. Note the initial HTTP HEAD. Based on the structure of the URL I'm not sure that implementing a PCRE match would be valuable outside of the uricontent matching, except for POST. I also see tertiary activity where there is no HTTP HEAD, only a GET without the &pid string. This variant does some HOST file modifications, I believe get_product_domains.php is where the seed list for HOSTS comes from. Various User-Agents are used, some reporting as the actual malware name itself (5a8fd). Since it's dynamic, not really sig-able. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST "; depth:5; content:"verint="; content:"&uid="; content:"&wv="; content:"&report="; content:"&abbr="; content:"&pid="; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) From wkitty42 at windstream.net Tue Nov 3 18:49:12 2009 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 03 Nov 2009 18:49:12 -0500 Subject: [Emerging-Sigs] antispam sids - first results In-Reply-To: <20091103161950.tvg4hn4s0s4kcc0w@mail.afferentsecurity.com> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <20091103140415.6txb2fqcysgwkg8g@mail.afferentsecurity.com> <4AF0A94E.5040703@windstream.net> <20091103161950.tvg4hn4s0s4kcc0w@mail.afferentsecurity.com> Message-ID: <4AF0C178.709@windstream.net> Jack Pepper wrote: > Quoting waldo kitty : > >> Jack Pepper wrote: >>> I intend to keep tweaking on this to see if there is a worthwhile >>> case for expanding SPAM sigs into "24hr Drop" sigs. >> >> what "priority" level are these alerts? 1, 2, 3 ?? > > I don't know what you mean by that. The sids I used for the pilot were > 2010148 and 2010166. thanks... that let me look them up... they are listed as trojan-activity which classification.conf sets as 1... this is the most important level in rankings... currently there's 1 thru 3 and blank or no priority... at least from a default snort installation :) From shepdelacreme at gmail.com Tue Nov 3 19:04:27 2009 From: shepdelacreme at gmail.com (Daniel Shepherd) Date: Tue, 3 Nov 2009 19:04:27 -0500 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF0C10C.70105@packetmail.net> References: <4AF0C10C.70105@packetmail.net> Message-ID: <4675499962108141304@unknownmsgid> Wow nice work on these sigs. I'd be interested in seeing the pcaps, not from a validation stand point but for my own personal edification. If you're cool with sharing you can send them directly to my email and I'll put them up on my dropbox for DL for the list. Dan On Nov 3, 2009, at 6:48 PM, "evilghost at packetmail.net" wrote: > I've tried to get this message through now four times, so this is my > final try, I've stripped the PCAP ASCII decodes. Now you'll just have > to take my word for it that these signatures match well and the > rationale behind their construction was valid. Matt, no idea why this > is happening. The message was also sent to you and Frank directly. > My > MTA logs show the messages being delivered to the list just fine. > > We are seeing an increase in the 'fake AV' style, here is the > secondary > check-in > with download. Note the initial HTTP HEAD. Based on the structure > of > the URL > I'm not sure that implementing a PCRE match would be valuable > outside of the > uricontent matching, except for POST. I also see tertiary activity > where there > is no HTTP HEAD, only a GET without the &pid string. This variant > does some > HOST file modifications, I believe get_product_domains.php is where > the seed > list for HOSTS comes from. Various User-Agents are used, some > reporting > as the > actual malware name itself (5a8fd). Since it's dynamic, not really > sig-able. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV check-in HEAD"; > flow:established,to_server; > content:"HEAD "; depth:5; uricontent:"?controller="; > uricontent:"&abbr="; > uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 > ; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV check-in GET"; > flow:established,to_server; > content:"GET "; depth:4; uricontent:"?controller="; > uricontent:"&abbr="; > uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan- > activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 > ; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV get_product_domains.php"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/reports/get_product_domains.php?abbr="; > uricontent:"&pid="; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 > ; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV Reporting via POST"; > flow:established,to_server; > content:"POST "; depth:5; content:"verint="; content:"&uid="; > content:"&wv="; > content:"&report="; content:"&abbr="; content:"&pid="; > pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za- > z0-9]+&pid=\d+/"; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 > ; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; > flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 > (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan- > activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 > ; > sid:2009xxx; rev:1;) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From jonkman at jonkmans.com Tue Nov 3 19:06:32 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Nov 2009 19:06:32 -0500 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF0C10C.70105@packetmail.net> References: <4AF0C10C.70105@packetmail.net> Message-ID: <4AF0C588.4050908@jonkmans.com> Domains and url's in the ascii dumps were getting them spam filtered, sorry for that. Posting now, great sigs! Matt evilghost at packetmail.net wrote: > I've tried to get this message through now four times, so this is my > final try, I've stripped the PCAP ASCII decodes. Now you'll just have > to take my word for it that these signatures match well and the > rationale behind their construction was valid. Matt, no idea why this > is happening. The message was also sent to you and Frank directly. My > MTA logs show the messages being delivered to the list just fine. > > We are seeing an increase in the 'fake AV' style, here is the secondary > check-in > with download. Note the initial HTTP HEAD. Based on the structure of > the URL > I'm not sure that implementing a PCRE match would be valuable outside of the > uricontent matching, except for POST. I also see tertiary activity > where there > is no HTTP HEAD, only a GET without the &pid string. This variant does some > HOST file modifications, I believe get_product_domains.php is where the seed > list for HOSTS comes from. Various User-Agents are used, some reporting > as the > actual malware name itself (5a8fd). Since it's dynamic, not really > sig-able. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; > content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; > uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; > uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV get_product_domains.php"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV Reporting via POST"; > flow:established,to_server; > content:"POST "; depth:5; content:"verint="; content:"&uid="; > content:"&wv="; > content:"&report="; content:"&abbr="; content:"&pid="; > pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; > flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 > (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Tue Nov 3 19:17:02 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 3 Nov 2009 18:17:02 -0600 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4675499962108141304@unknownmsgid> References: <4AF0C10C.70105@packetmail.net> <4675499962108141304@unknownmsgid> Message-ID: <4AF0C7FE.1010405@packetmail.net> Absolutely, sending shortly, have to dig it up. Please feel free to share with the list. I would like a second eye on this as well to ensure that I approached the signature generation comprehensively. Daniel Shepherd wrote: > Wow nice work on these sigs. I'd be interested in seeing the pcaps, > not from a validation stand point but for my own personal edification. > If you're cool with sharing you can send them directly to my email and > I'll put them up on my dropbox for DL for the list. > > Dan > > On Nov 3, 2009, at 6:48 PM, "evilghost at packetmail.net" > > wrote: > > >> I've tried to get this message through now four times, so this is my >> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >> to take my word for it that these signatures match well and the >> rationale behind their construction was valid. Matt, no idea why this >> is happening. The message was also sent to you and Frank directly. >> My >> MTA logs show the messages being delivered to the list just fine. >> >> We are seeing an increase in the 'fake AV' style, here is the >> secondary >> check-in >> with download. Note the initial HTTP HEAD. Based on the structure >> of >> the URL >> I'm not sure that implementing a PCRE match would be valuable >> outside of the >> uricontent matching, except for POST. I also see tertiary activity >> where there >> is no HTTP HEAD, only a GET without the &pid string. This variant >> does some >> HOST file modifications, I believe get_product_domains.php is where >> the seed >> list for HOSTS comes from. Various User-Agents are used, some >> reporting >> as the >> actual malware name itself (5a8fd). Since it's dynamic, not really >> sig-able. >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV check-in HEAD"; >> flow:established,to_server; >> content:"HEAD "; depth:5; uricontent:"?controller="; >> uricontent:"&abbr="; >> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 >> ; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV check-in GET"; >> flow:established,to_server; >> content:"GET "; depth:4; uricontent:"?controller="; >> uricontent:"&abbr="; >> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan- >> activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 >> ; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >> flow:established,to_server; content:"GET "; depth:4; >> uricontent:"/reports/get_product_domains.php?abbr="; >> uricontent:"&pid="; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 >> ; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV Reporting via POST"; >> flow:established,to_server; >> content:"POST "; depth:5; content:"verint="; content:"&uid="; >> content:"&wv="; >> content:"&report="; content:"&abbr="; content:"&pid="; >> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za- >> z0-9]+&pid=\d+/"; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 >> ; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan- >> activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 >> ; >> sid:2009xxx; rev:1;) >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> From evilghost at packetmail.net Tue Nov 3 19:28:44 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 3 Nov 2009 18:28:44 -0600 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF0C588.4050908@jonkmans.com> References: <4AF0C10C.70105@packetmail.net> <4AF0C588.4050908@jonkmans.com> Message-ID: <4AF0CABC.9010105@packetmail.net> Thanks Matt. Additional Signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/MicroinstallServiceReport.php"; content:"report="; content:"&pid="; content:"&wv="; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) 13:20:48.745110 IP 192.168.35.21.1032 > 64.86.133.91.80: P 1:301(300) ack 1 win 65535 E..T.O at ...O...#. at V.[...P...S..t.P.......POST /Reports/MicroinstallServiceReport.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: bad_domain_removed_by_evilghost_due_to_spamfilter Content-Length: 42 Cache-Control: no-cache report=000000000010000000000&pid=3&wv=wvXP Matt Jonkman wrote: > Domains and url's in the ascii dumps were getting them spam filtered, > sorry for that. > > Posting now, great sigs! > > Matt > > evilghost at packetmail.net wrote: > >> I've tried to get this message through now four times, so this is my >> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >> to take my word for it that these signatures match well and the >> rationale behind their construction was valid. Matt, no idea why this >> is happening. The message was also sent to you and Frank directly. My >> MTA logs show the messages being delivered to the list just fine. >> >> We are seeing an increase in the 'fake AV' style, here is the secondary >> check-in >> with download. Note the initial HTTP HEAD. Based on the structure of >> the URL >> I'm not sure that implementing a PCRE match would be valuable outside of the >> uricontent matching, except for POST. I also see tertiary activity >> where there >> is no HTTP HEAD, only a GET without the &pid string. This variant does some >> HOST file modifications, I believe get_product_domains.php is where the seed >> list for HOSTS comes from. Various User-Agents are used, some reporting >> as the >> actual malware name itself (5a8fd). Since it's dynamic, not really >> sig-able. >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; >> content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; >> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; >> content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; >> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >> flow:established,to_server; content:"GET "; depth:4; >> uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV Reporting via POST"; >> flow:established,to_server; >> content:"POST "; depth:5; content:"verint="; content:"&uid="; >> content:"&wv="; >> content:"&report="; content:"&abbr="; content:"&pid="; >> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From evilghost at packetmail.net Tue Nov 3 20:30:06 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 3 Nov 2009 19:30:06 -0600 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF0CABC.9010105@packetmail.net> References: <4AF0C10C.70105@packetmail.net> <4AF0C588.4050908@jonkmans.com> <4AF0CABC.9010105@packetmail.net> Message-ID: <4AF0D91E.1010203@packetmail.net> PCRE incorrect, please add + after [A-Za-z0-9]. Should be pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/"; Sorry about that. evilghost at packetmail.net wrote: > Thanks Matt. Additional Signature: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; > flow:established,to_server; > content:"POST "; depth:5; uricontent:"/MicroinstallServiceReport.php"; > content:"report="; content:"&pid="; > content:"&wv="; > pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/"; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > > 13:20:48.745110 IP 192.168.35.21.1032 > 64.86.133.91.80: P 1:301(300) > ack 1 win 65535 > E..T.O at ...O...#. at V.[...P...S..t.P.......POST > /Reports/MicroinstallServiceReport.php HTTP/1.1 > Content-Type: application/x-www-form-urlencoded > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR > 1.0.2914) > Host: bad_domain_removed_by_evilghost_due_to_spamfilter > Content-Length: 42 > Cache-Control: no-cache > > report=000000000010000000000&pid=3&wv=wvXP > > > > Matt Jonkman wrote: > >> Domains and url's in the ascii dumps were getting them spam filtered, >> sorry for that. >> >> Posting now, great sigs! >> >> Matt >> >> evilghost at packetmail.net wrote: >> >> >>> I've tried to get this message through now four times, so this is my >>> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >>> to take my word for it that these signatures match well and the >>> rationale behind their construction was valid. Matt, no idea why this >>> is happening. The message was also sent to you and Frank directly. My >>> MTA logs show the messages being delivered to the list just fine. >>> >>> We are seeing an increase in the 'fake AV' style, here is the secondary >>> check-in >>> with download. Note the initial HTTP HEAD. Based on the structure of >>> the URL >>> I'm not sure that implementing a PCRE match would be valuable outside of the >>> uricontent matching, except for POST. I also see tertiary activity >>> where there >>> is no HTTP HEAD, only a GET without the &pid string. This variant does some >>> HOST file modifications, I believe get_product_domains.php is where the seed >>> list for HOSTS comes from. Various User-Agents are used, some reporting >>> as the >>> actual malware name itself (5a8fd). Since it's dynamic, not really >>> sig-able. >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; >>> content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; >>> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >>> classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; >>> content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; >>> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >>> flow:established,to_server; content:"GET "; depth:4; >>> uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; >>> classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV Reporting via POST"; >>> flow:established,to_server; >>> content:"POST "; depth:5; content:"verint="; content:"&uid="; >>> content:"&wv="; >>> content:"&report="; content:"&abbr="; content:"&pid="; >>> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; >>> classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >>> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >>> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From randy at procyonlabs.com Tue Nov 3 23:42:14 2009 From: randy at procyonlabs.com (Randal T. Rioux) Date: Tue, 03 Nov 2009 23:42:14 -0500 Subject: [Emerging-Sigs] Proposed Signature, ET Policy Windows 7 In-Reply-To: <4AEF4BF9.3070608@packetmail.net> References: <4AEF4BF9.3070608@packetmail.net> Message-ID: <4AF10626.8060608@procyonlabs.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 evilghost at packetmail.net wrote: > While not really a direct security concern there are some organizations > which strictly control version upgrades/permitted OSes on the network. > I propose the below ET POLICY signature for Windows 7. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Microsoft Windows 7 User-Agent detected"; flow:established,to_server; > content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; > content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; > threshold:type limit, track by_src, seconds 60, count 1; > reference:url,www.microsoft.com/windows/windows-7/default.mspx; > classtype:policy-violation; sid:2009xxxx; rev:1;) This would catch a few instances, but the UA, as we all know, can be flakey. This type of string examination may benefit from PCRE (I don't say that often). Just because one long-ass well written PCRE UA checker-rule could cast a wider net. I'll muck around with some tests this week. Also, FYI, if you don't mind a poor color scheme and information overload, this is a fun site to browse: http://www.user-agents.org Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrxBiYACgkQ728Y0OTqC1RAwgCgnKfQiPsJJNPgM3urKqCrixkN T50AoIVawFTjVLPfyTfaaEdQAIbegO4f =z+3A -----END PGP SIGNATURE----- From kevross33 at googlemail.com Wed Nov 4 05:47:42 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 4 Nov 2009 10:47:42 +0000 Subject: [Emerging-Sigs] SIG: Altiris AeXNSConsoleUtilities.dll ActiveX Function Call Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; reference:url, www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url, sotiriu.de/adv/NSOADV-2009-001.txt; reference:url, securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; sid:190000001; rev:1;) Tested and working. Couldn't do the function one till today as I didn't know what it was until I got on an Altiris server to see what the function was. Either way this sig works fine. Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/f7da1c1b/attachment.html From jonkman at jonkmans.com Wed Nov 4 06:41:03 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 06:41:03 -0500 Subject: [Emerging-Sigs] SIG: Altiris AeXNSConsoleUtilities.dll ActiveX Function Call In-Reply-To: References: Message-ID: <4AF1684F.7090006@jonkmans.com> Posted, thanks Kevin! Matt Kevin Ross wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll > ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt > Function Call"; flow:to_client,established; content:"ActiveXObject"; > nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; > content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; > reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 > ; > reference:url,www.securityfocus.com/bid/36698/info > ; > reference:url,sotiriu.de/adv/NSOADV-2009-001.txt > ; > reference:url,securitytracker.com/alerts/2009/Nov/1023122.html > ; > reference:cve,2009-3031; sid:190000001; rev:1;) > > Tested and working. Couldn't do the function one till today as I didn't > know what it was until I got on an Altiris server to see what the > function was. Either way this sig works fine. > > Kev > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 4 06:49:28 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 06:49:28 -0500 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF0D91E.1010203@packetmail.net> References: <4AF0C10C.70105@packetmail.net> <4AF0C588.4050908@jonkmans.com> <4AF0CABC.9010105@packetmail.net> <4AF0D91E.1010203@packetmail.net> Message-ID: <4AF16A48.1020605@jonkmans.com> Done and posted, thanks! Matt evilghost at packetmail.net wrote: > PCRE incorrect, please add + after [A-Za-z0-9]. > > Should be > > pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/"; > > > Sorry about that. > > evilghost at packetmail.net wrote: >> Thanks Matt. Additional Signature: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >> WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; >> flow:established,to_server; >> content:"POST "; depth:5; uricontent:"/MicroinstallServiceReport.php"; >> content:"report="; content:"&pid="; >> content:"&wv="; >> pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/"; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >> sid:2009xxx; rev:1;) >> >> >> 13:20:48.745110 IP 192.168.35.21.1032 > 64.86.133.91.80: P 1:301(300) >> ack 1 win 65535 >> E..T.O at ...O...#. at V.[...P...S..t.P.......POST >> /Reports/MicroinstallServiceReport.php HTTP/1.1 >> Content-Type: application/x-www-form-urlencoded >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR >> 1.0.2914) >> Host: bad_domain_removed_by_evilghost_due_to_spamfilter >> Content-Length: 42 >> Cache-Control: no-cache >> >> report=000000000010000000000&pid=3&wv=wvXP >> >> >> >> Matt Jonkman wrote: >> >>> Domains and url's in the ascii dumps were getting them spam filtered, >>> sorry for that. >>> >>> Posting now, great sigs! >>> >>> Matt >>> >>> evilghost at packetmail.net wrote: >>> >>> >>>> I've tried to get this message through now four times, so this is my >>>> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >>>> to take my word for it that these signatures match well and the >>>> rationale behind their construction was valid. Matt, no idea why this >>>> is happening. The message was also sent to you and Frank directly. My >>>> MTA logs show the messages being delivered to the list just fine. >>>> >>>> We are seeing an increase in the 'fake AV' style, here is the secondary >>>> check-in >>>> with download. Note the initial HTTP HEAD. Based on the structure of >>>> the URL >>>> I'm not sure that implementing a PCRE match would be valuable outside of the >>>> uricontent matching, except for POST. I also see tertiary activity >>>> where there >>>> is no HTTP HEAD, only a GET without the &pid string. This variant does some >>>> HOST file modifications, I believe get_product_domains.php is where the seed >>>> list for HOSTS comes from. Various User-Agents are used, some reporting >>>> as the >>>> actual malware name itself (5a8fd). Since it's dynamic, not really >>>> sig-able. >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; >>>> content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; >>>> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; >>>> content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; >>>> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >>>> flow:established,to_server; content:"GET "; depth:4; >>>> uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV Reporting via POST"; >>>> flow:established,to_server; >>>> content:"POST "; depth:5; content:"verint="; content:"&uid="; >>>> content:"&wv="; >>>> content:"&report="; content:"&abbr="; content:"&pid="; >>>> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >>>> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >>>> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 4 07:42:12 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 07:42:12 -0500 Subject: [Emerging-Sigs] antispam sids In-Reply-To: <4AF053C8.8030507@windstream.net> References: <20091029073800.3c9zzfyrk0owsogo@mail.afferentsecurity.com> <4AE99397.3030805@jonkmans.com> <4AEB80B9.8000808@mare-system.de> <4AEBA5C8.4050905@windstream.net> <4AEBA763.9040109@packetmail.net> <4AF03C90.8080104@jonkmans.com> <4AF053C8.8030507@windstream.net> Message-ID: <4AF176A4.2010206@jonkmans.com> I like that. I hesitate to make another ruleset, but a new subclass for easy modification would do. That work for all? Matt waldo kitty wrote: > Matt Jonkman wrote: >> 1. What's a codpiece and why would you punch it? >> >> 2. I agree. And speaking to all the comments on this thread: >> >> The spam sigs are really only good if you're blocking. If you don't or >> can't block they'll just be noise. >> >> I totally agree with greylisting (45 sec delay style). Drops a large >> portion of the crap. But blocking, that drops even more. > > i agree on the live blocking... it is what i do and what the app i maintain does :) > >> I don't exactly know how to solve the balance issue. As many need these >> as there are that can't act upon the information so it's just noise. >> >> Thoughts? > > stuff these into another file group that can be easily turned on and off (used > or not) in the conf file... if there are some in that group that are needed and > others that are not, oinkmaster can disable a list of those... just make sure to > fix up the "ET CLASS" starting portion of the alert text ;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 4 07:47:18 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 07:47:18 -0500 Subject: [Emerging-Sigs] 2008450 "Buzus.lyz Connect to CnC" -> Donbot? In-Reply-To: <839aec700910281433u5dc63c3cp654f5c9f5c36f772@mail.gmail.com> References: <839aec700910281433u5dc63c3cp654f5c9f5c36f772@mail.gmail.com> Message-ID: <4AF177D6.3000903@jonkmans.com> Updated and moved, thanks Darren! Darren Spruell wrote: > Interested to know if 2008450 is exclusive to Donbot: > > http://blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html > http://www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ > > alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN > Buzus.lyz Connect to CnC"; flow:established,to_server; dsize:7; > content:"HALLO|0d 0a|"; classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2008450; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; > sid:2008450; rev:2;) > > Initial packet from the report is the "HALLO\r\n" string which this > would seem to be a firm hit on. > > Minor rule mod, candidate revision: > > alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot > Connect to CnC"; flow:established,to_server; dsize:7; > content:"HALLO|0d 0a|"; classtype:trojan-activity; > reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; > reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; > reference:url,doc.emergingthreats.net/2008450; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donbot; > sid:2008450; rev:3;) > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Wed Nov 4 07:51:55 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 4 Nov 2009 12:51:55 +0000 Subject: [Emerging-Sigs] .so rules sid-msg.map equivalent? Message-ID: Hi, I use .so rules on my sensors. I got some alerts from it though with a GID 3 that barnyard had written to the database. However, it was referenced into a name and just had the SID because there is no sid-msg.map type thing for GID 3 .so rules. Anyone you know how with .so rules you get it to write the proper rule message like with GID 1 snort rules in barnyard? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/491d79af/attachment-0001.html From mguiterman at sourcefire.com Wed Nov 4 10:52:31 2009 From: mguiterman at sourcefire.com (Mike Guiterman) Date: Wed, 4 Nov 2009 10:52:31 -0500 Subject: [Emerging-Sigs] .so rules sid-msg.map equivalent? In-Reply-To: References: Message-ID: <9ff4f37d0911040752p50795ec0n9a859fb634104a83@mail.gmail.com> VRT rules don?t ship with sid-msg map for so rules. The VRT advises that you should always build your own sid-msg.map for rules since you?ll need to include your own rules anyway. Dump the .rules files from the shared object rules you?re using and build your own sid-msg.map. I believe pulledpork creates one and I know that oinkmaster has a sid-msg.map generator shipped with it. Mike On Wed, Nov 4, 2009 at 7:51 AM, Kevin Ross wrote: > Hi, > > I use .so rules on my sensors. I got some alerts from it though with a GID > 3 that barnyard had written to the database. However, it was referenced into > a name and just had the SID because there is no sid-msg.map type thing for > GID 3 .so rules. Anyone you know how with .so rules you get it to write the > proper rule message like with GID 1 snort rules in barnyard? > > Thanks > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/01ac00e1/attachment.html From evilghost at packetmail.net Wed Nov 4 10:54:24 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 4 Nov 2009 09:54:24 -0600 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF16A48.1020605@jonkmans.com> References: <4AF0C10C.70105@packetmail.net> <4AF0C588.4050908@jonkmans.com> <4AF0CABC.9010105@packetmail.net> <4AF0D91E.1010203@packetmail.net> <4AF16A48.1020605@jonkmans.com> Message-ID: <4AF1A3B0.2050806@packetmail.net> I have a PCAP from a secondary system from this malware and I believe I can successfully sig the dynamic user agent detected/used during C&C activity as well as an additional user-agent used/detected. Seeing Wefa7e and Wee6a3. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; TALWinHttpClient)|0d 0a|"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: We"; isdataat:6,relative; content:"|0d 0a|"; distance:0; pcre:"/^User-Agent: We[a-z0-9]{4}$/; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; sid:2009xxx; rev:1;) -evilghost Matt Jonkman wrote: > Done and posted, thanks! > > Matt > > evilghost at packetmail.net wrote: > >> PCRE incorrect, please add + after [A-Za-z0-9]. >> >> Should be >> >> pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/"; >> >> >> Sorry about that. >> >> evilghost at packetmail.net wrote: >> >>> Thanks Matt. Additional Signature: >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>> WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; >>> flow:established,to_server; >>> content:"POST "; depth:5; uricontent:"/MicroinstallServiceReport.php"; >>> content:"report="; content:"&pid="; >>> content:"&wv="; >>> pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/"; >>> classtype:trojan-activity; >>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>> sid:2009xxx; rev:1;) >>> >>> >>> 13:20:48.745110 IP 192.168.35.21.1032 > 64.86.133.91.80: P 1:301(300) >>> ack 1 win 65535 >>> E..T.O at ...O...#. at V.[...P...S..t.P.......POST >>> /Reports/MicroinstallServiceReport.php HTTP/1.1 >>> Content-Type: application/x-www-form-urlencoded >>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR >>> 1.0.2914) >>> Host: bad_domain_removed_by_evilghost_due_to_spamfilter >>> Content-Length: 42 >>> Cache-Control: no-cache >>> >>> report=000000000010000000000&pid=3&wv=wvXP >>> >>> >>> >>> Matt Jonkman wrote: >>> >>> >>>> Domains and url's in the ascii dumps were getting them spam filtered, >>>> sorry for that. >>>> >>>> Posting now, great sigs! >>>> >>>> Matt >>>> >>>> evilghost at packetmail.net wrote: >>>> >>>> >>>> >>>>> I've tried to get this message through now four times, so this is my >>>>> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >>>>> to take my word for it that these signatures match well and the >>>>> rationale behind their construction was valid. Matt, no idea why this >>>>> is happening. The message was also sent to you and Frank directly. My >>>>> MTA logs show the messages being delivered to the list just fine. >>>>> >>>>> We are seeing an increase in the 'fake AV' style, here is the secondary >>>>> check-in >>>>> with download. Note the initial HTTP HEAD. Based on the structure of >>>>> the URL >>>>> I'm not sure that implementing a PCRE match would be valuable outside of the >>>>> uricontent matching, except for POST. I also see tertiary activity >>>>> where there >>>>> is no HTTP HEAD, only a GET without the &pid string. This variant does some >>>>> HOST file modifications, I believe get_product_domains.php is where the seed >>>>> list for HOSTS comes from. Various User-Agents are used, some reporting >>>>> as the >>>>> actual malware name itself (5a8fd). Since it's dynamic, not really >>>>> sig-able. >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>> WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; >>>>> content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; >>>>> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >>>>> classtype:trojan-activity; >>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>> WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; >>>>> content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; >>>>> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; >>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >>>>> flow:established,to_server; content:"GET "; depth:4; >>>>> uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; >>>>> classtype:trojan-activity; >>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>> WindowsEnterpriseSuite FakeAV Reporting via POST"; >>>>> flow:established,to_server; >>>>> content:"POST "; depth:5; content:"verint="; content:"&uid="; >>>>> content:"&wv="; >>>>> content:"&report="; content:"&abbr="; content:"&pid="; >>>>> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; >>>>> classtype:trojan-activity; >>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >>>>> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >>>>> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; >>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>> sid:2009xxx; rev:1;) >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From kevross33 at googlemail.com Wed Nov 4 11:10:51 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 4 Nov 2009 16:10:51 +0000 Subject: [Emerging-Sigs] .so rules sid-msg.map equivalent? In-Reply-To: <9ff4f37d0911040752p50795ec0n9a859fb634104a83@mail.gmail.com> References: <9ff4f37d0911040752p50795ec0n9a859fb634104a83@mail.gmail.com> Message-ID: hmmm, yeah I looked at pulled port briefly but I couldn't see the equivalent to using enablesid or modifysid (which I do use for a few of the rules). I probably will look at it more extensively now I have been using .so rule files. I got my first alert from a gid 3 rule the other day and I had to look up the SID. for the disable and enable it should just be an easy edit of the sids in my oinkmaster.conf file. Thanks 2009/11/4 Mike Guiterman > VRT rules don?t ship with sid-msg map for so rules. The VRT advises that > you should always build your own sid-msg.map for rules since you?ll need to > include your own rules anyway. Dump the .rules files from the shared object > rules you?re using and build your own sid-msg.map. > > > I believe pulledpork creates one and I know that oinkmaster has a > sid-msg.map generator shipped with it. > > > Mike > > > On Wed, Nov 4, 2009 at 7:51 AM, Kevin Ross wrote: > >> Hi, >> >> I use .so rules on my sensors. I got some alerts from it though with a GID >> 3 that barnyard had written to the database. However, it was referenced into >> a name and just had the SID because there is no sid-msg.map type thing for >> GID 3 .so rules. Anyone you know how with .so rules you get it to write the >> proper rule message like with GID 1 snort rules in barnyard? >> >> Thanks >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/9b1bec1a/attachment.html From evilghost at packetmail.net Wed Nov 4 14:39:05 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 4 Nov 2009 13:39:05 -0600 Subject: [Emerging-Sigs] Sigs/SVN Commits Message-ID: <4AF1D859.4020701@packetmail.net> I'm not seeing the new rules committed today showing up in http://www.emergingthreats.net/rules/. It used to be instant after you ran an SVN commit AFAIK. Are these now daily batched? For example, I used to update multiple times per day, sometimes immediately after a rule was committed from the list. Has something changed or am I imagining this? Thanks From evilghost at packetmail.net Wed Nov 4 15:10:08 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 4 Nov 2009 14:10:08 -0600 Subject: [Emerging-Sigs] Proposed Signature, Eleonore Exploit Pack C&C Activity Message-ID: <4AF1DFA0.8010209@packetmail.net> Proposed signature derived from information on http://www.offensivecomputing.net/?q=node/1419 The papa*.cn URL is still active, check-in returns this information: http://*.cn/myl/bb.php?id=199826733&v=200&tm=2&b=01&tid=3&r=1 [info]kill:0|delay:60|upd:1|backurls:http://*.cn/myl/bb.php[/info] This one is currently covered under SID 2009776 I'd like to also add detection for the URI ?spl=2&br=MSIE&vers=7.0&s=ec445bc5411c202a8361c7db463e84b4 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan Eleonore Exploit Pack activity"; flow:established,to_server; uricontent:"?spl="; uricontent:"&br="; uricontent:"&vers="; uricontent:"&s="; pcre:"\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; classtype:trojan-activity; reference:url,www.offensivecomputing.net/?q=node/1419; sid:2009xxx; rev:1;) From emerging at emergingthreats.net Wed Nov 4 16:00:12 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 4 Nov 2009 16:00:12 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091104210012.B2F944502E@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Nov 4 16:00:12 2009 [***] [///] Modified active rules: [///] 2008127 - ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods (emerging-web_client.rules) 2009702 - ET POLICY DNS Update From External net (emerging-policy.rules) 2010148 - ET CURRENT_EVENTS DHL Spam Inbound (emerging-current_events.rules) 2010166 - ET CURRENT_EVENTS Facebook Spam Inbound (emerging-current_events.rules) 2010202 - ET WEB_CLIENT Possible Google Chrome chrome //history/ URI Cross-Site Scripting Attempt (emerging-web_client.rules) 2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (emerging-scan.rules) 2010227 - ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt (emerging-web_client.rules) 2010229 - ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt (emerging-web_server.rules) 2010230 - ET TROJAN W32.Koblu (emerging-virus.rules) 2010231 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010232 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010233 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010234 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010235 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010236 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010237 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010238 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010239 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) [///] Modified inactive rules: [///] 2010228 - ET POLICY Microsoft Windows 7 User-Agent detected (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (152): 2008127 || ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics || url,doc.emergingthreats.net/2008127 || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2009702 || ET POLICY DNS Update From External net || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bind || url,doc.emergingthreats.net/2009702 2010202 || ET WEB_CLIENT Possible Google Chrome chrome //history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010227 || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_7 || url,doc.emergingthreats.net/2010228 || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cherokee || url,doc.emergingthreats.net/2010229 || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koblu || url,doc.emergingthreats.net/2010230 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010231 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010232 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010233 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010234 || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010235 || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010236 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010237 || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010238 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010239 || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (152): 2008127 || ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics || url,doc.emergingthreats.net/2008127 || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2009702 || ET POLICY DNS Update From External net || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bind || url,doc.emergingthreats.net/2009702 2010202 || ET WEB_CLIENT Possible Google Chrome chrome //history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010227 || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_7 || url,doc.emergingthreats.net/2010228 || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cherokee || url,doc.emergingthreats.net/2010229 || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Koblu || url,doc.emergingthreats.net/2010230 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010231 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010232 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010233 || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010234 || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010235 || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010236 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010237 || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010238 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts || url,doc.emergingthreats.net/2010239 || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (16): 2008127 || ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics || url,doc.emergingthreats.net/2008127 || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2009702 || ET CURRENT_EVENTS POLICY DNS Update From External net || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind || url,doc.emergingthreats.net/2009702 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T -> Removed from emerging-sid-msg.map.txt (16): 2008127 || ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics || url,doc.emergingthreats.net/2008127 || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2009702 || ET CURRENT_EVENTS POLICY DNS Update From External net || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind || url,doc.emergingthreats.net/2009702 2010202 || ET WEB_CLIENT Possible Google Chrome chrome://history/ URI Cross-Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Google || url,doc.emergingthreats.net/2010202 || url,www.securityfocus.com/archive/1/505303 || url,www.securityfocus.com/bid/35841/info 2010227 || ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || cve,2009-3031 || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010228 || ET POLICY Microsoft Windows 7 User-Agent detected || url,www.microsoft.com/windows/windows-7/default.aspx 2010229 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,www.securityfocus.com/archive/1/507456 || url,www.securityfocus.com/bid/36814/info || url,securitytracker.com/alerts/2009/Oct/1023095.html 2010230 || ET TROJAN W32.Koblu 2010231 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010232 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010233 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010234 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010235 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010236 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010237 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010238 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T 2010239 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T From frank at knobbe.us Wed Nov 4 16:03:38 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 04 Nov 2009 15:03:38 -0600 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <4AF1D859.4020701@packetmail.net> References: <4AF1D859.4020701@packetmail.net> Message-ID: <1257368618.53015.60.camel@localhost> On Wed, 2009-11-04 at 13:39 -0600, evilghost at packetmail.net wrote: > I'm not seeing the new rules committed today showing up in > http://www.emergingthreats.net/rules/. It used to be instant after you > ran an SVN commit AFAIK. Are these now daily batched? For example, I > used to update multiple times per day, sometimes immediately after a > rule was committed from the list. > > Has something changed or am I imagining this? Thanks I think you're imagining things. .... We're using CVS ;) I'll check on it. There is a script that runs every 15 min or so and rolls new rule files. It's possible that something is broken. I ran it by hand last night and noticed an oddity that I email Matt about. He will check it out when he gets back from the beach. :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/a74c92a3/attachment.bin From frank at knobbe.us Wed Nov 4 16:10:50 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 04 Nov 2009 15:10:50 -0600 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <4AF1D859.4020701@packetmail.net> References: <4AF1D859.4020701@packetmail.net> Message-ID: <1257369050.53015.63.camel@localhost> On Wed, 2009-11-04 at 13:39 -0600, evilghost at packetmail.net wrote: > I'm not seeing the new rules committed today showing up in > http://www.emergingthreats.net/rules/. It used to be instant after you > ran an SVN commit AFAIK. Are these now daily batched? For example, I > used to update multiple times per day, sometimes immediately after a > rule was committed from the list. I checked my fetch dir and also above link for a few of the recent SID (like Opachki). Looks to be all there. What SID are you missing? -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/93f5cb2f/attachment.bin From kevross33 at googlemail.com Wed Nov 4 17:16:05 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 4 Nov 2009 22:16:05 +0000 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <1257369050.53015.63.camel@localhost> References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> Message-ID: I am missing some too. For instance earlier a sig for an Altiris function call was submitted that isn't coming down when I pull it (there should be 4 sigs in total for Altiris in emerging-web_client.rules after today but there is only the 3 existing ones although it had been submitted, it is also missing from the daily changes update email). 2009/11/4 Frank Knobbe > On Wed, 2009-11-04 at 13:39 -0600, evilghost at packetmail.net wrote: > > I'm not seeing the new rules committed today showing up in > > http://www.emergingthreats.net/rules/. It used to be instant after you > > ran an SVN commit AFAIK. Are these now daily batched? For example, I > > used to update multiple times per day, sometimes immediately after a > > rule was committed from the list. > > > I checked my fetch dir and also above link for a few of the recent SID > (like Opachki). Looks to be all there. What SID are you missing? > > -Frank > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/11d830ee/attachment.html From phatbuckett at gmail.com Wed Nov 4 18:57:13 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 4 Nov 2009 16:57:13 -0700 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> Message-ID: <839aec700911041557u58cfd0efra85f996dd4ed9ec0@mail.gmail.com> Also Donbot rule update mentioned in "2008450 "Buzus.lyz Connect to CnC" -> Donbot?" not in on an oinkmaster update. Unsure if this should be showing up yet, so... DS On Wed, Nov 4, 2009 at 3:16 PM, Kevin Ross wrote: > I am missing some too. For instance earlier a sig for an Altiris function > call was submitted that isn't coming down when I pull it (there should be 4 > sigs in total for Altiris in emerging-web_client.rules after today but there > is only the 3 existing ones although it had been submitted, it is also > missing from the daily changes update email). > > 2009/11/4 Frank Knobbe >> >> On Wed, 2009-11-04 at 13:39 -0600, evilghost at packetmail.net wrote: >> > I'm not seeing the new rules committed today showing up in >> > http://www.emergingthreats.net/rules/. ?It used to be instant after you >> > ran an SVN commit AFAIK. ?Are these now daily batched? ?For example, I >> > used to update multiple times per day, sometimes immediately after a >> > rule was committed from the list. >> >> >> I checked my fetch dir and also above link for a few of the recent SID >> (like Opachki). Looks to be all there. What SID are you missing? >> >> -Frank >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- Darren Spruell phatbuckett at gmail.com From frank at knobbe.us Wed Nov 4 18:58:49 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 04 Nov 2009 17:58:49 -0600 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <839aec700911041557u58cfd0efra85f996dd4ed9ec0@mail.gmail.com> References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> <839aec700911041557u58cfd0efra85f996dd4ed9ec0@mail.gmail.com> Message-ID: <1257379129.53015.75.camel@localhost> On Wed, 2009-11-04 at 16:57 -0700, Darren Spruell wrote: > Also Donbot rule update mentioned in "2008450 "Buzus.lyz Connect to > CnC" -> Donbot?" not in on an oinkmaster update. Unsure if this should > be showing up yet, so... Matt just committed the changes he made earlier to his local copy. Should be in the rules now. -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091104/ca5b7138/attachment.bin From evilghost at packetmail.net Wed Nov 4 19:16:29 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 4 Nov 2009 18:16:29 -0600 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <1257379129.53015.75.camel@localhost> References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> <839aec700911041557u58cfd0efra85f996dd4ed9ec0@mail.gmail.com> , <1257379129.53015.75.camel@localhost> Message-ID: <0268d27deede582479fea11a966a4006@www.packetmail.net> Matt should not be allowed to take a vacation ;) On Wed, 04 Nov 2009 17:58:49 -0600 Frank Knobbe wrote > On Wed, 2009-11-04 at 16:57 -0700, Darren Spruell wrote: > > Also Donbot rule update mentioned in "2008450 "Buzus.lyz Connect to > > CnC" -> Donbot?" not in on an oinkmaster update. Unsure if this should > > be showing up yet, so... > > Matt just committed the changes he made earlier to his local copy. > Should be in the rules now. > > -Frank From r.fulton at auckland.ac.nz Wed Nov 4 19:17:59 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Thu, 5 Nov 2009 13:17:59 +1300 Subject: [Emerging-Sigs] flowbit version of ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement Message-ID: I would remove the threshold for this rule. I am not seeing anything like this rate here. If we are worried about the volume of alerts the make it count 1, seconds 60. I have never seen more that one connection a minute.... Another thing, we how have two sets of rules with the same message which I find confusing. I have to drill right down to get the sid.... /home/snort/Rules/rules/emerging-virus.rules:alert udp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement"; dsize:8; content:"|40|"; depth:1; classtype:trojan-activity; flowbits:isset,ET.MariposaJoin; threshold: type limit, count 5, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2010226 ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa ; sid:2010226; rev:3;) From jonkman at jonkmans.com Wed Nov 4 19:29:11 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 19:29:11 -0500 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: <0268d27deede582479fea11a966a4006@www.packetmail.net> References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> <839aec700911041557u58cfd0efra85f996dd4ed9ec0@mail.gmail.com> , <1257379129.53015.75.camel@localhost> <0268d27deede582479fea11a966a4006@www.packetmail.net> Message-ID: <4AF21C57.1010207@jonkmans.com> I'm always on vacation... Living the dream! :) Matt evilghost at packetmail.net wrote: > Matt should not be allowed to take a vacation ;) > > On Wed, 04 Nov 2009 17:58:49 -0600 Frank Knobbe wrote > >> On Wed, 2009-11-04 at 16:57 -0700, Darren Spruell wrote: >>> Also Donbot rule update mentioned in "2008450 "Buzus.lyz Connect to >>> CnC" -> Donbot?" not in on an oinkmaster update. Unsure if this should >>> be showing up yet, so... >> Matt just committed the changes he made earlier to his local copy. >> Should be in the rules now. >> >> -Frank > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From r.fulton at auckland.ac.nz Wed Nov 4 19:41:58 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Thu, 5 Nov 2009 13:41:58 +1300 Subject: [Emerging-Sigs] flowbit version of ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement In-Reply-To: References: Message-ID: <82C9F2B8-78D2-4C68-83C2-72CF7C43C790@auckland.ac.nz> Yeah, I know, bad form replying to ones self :-P On 5/11/2009, at 1:17 PM, Russell Fulton wrote: > I would remove the threshold for this rule. I am not seeing anything > like this rate here. If we are worried about the volume of alerts the > make it count 1, seconds 60. I have never seen more that one > connection a minute.... > > Another thing, we how have two sets of rules with the same message > which I find confusing. I have to drill right down to get the sid.... > > /home/snort/Rules/rules/emerging-virus.rules:alert udp $EXTERNAL_NET > 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Palevo/BFBot/Mariposa server > join acknowledgement"; dsize:8; content:"|40|"; depth:1; > classtype:trojan-activity; flowbits:isset,ET.MariposaJoin; threshold: > type limit, count 5, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2010226 > ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa > ; sid:2010226; rev:3;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Here is typical alert pattern we are seeing (original sigs): 2009-11-04 13:41:52 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.164 None 17 35 2009-11-04 13:41:53 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 64.150.160.109 multisure.co.za 17 35 2009-11-04 13:43:30 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.164 None 17 35 2009-11-04 13:43:30 ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement 124.232.145.201 None 130.216.89.90 None 17 36 2009-11-04 14:04:41 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.164 None 17 35 2009-11-04 14:04:41 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.201 None 17 35 2009-11-04 14:04:42 ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement 124.232.145.201 None 130.216.89.90 None 17 36 2009-11-04 14:13:52 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.201 None 17 2009-11-04 14:13:52 ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement 124.232.145.201 None 130.216.89.90 None 17 36 2009-11-04 14:23:03 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.201 None 17 35 2009-11-04 14:24:39 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 124.232.145.164 None 17 35 2009-11-04 14:24:40 ET TROJAN Palevo/BFBot/Mariposa client join attempt 130.216.89.90 None 64.150.160.109 multisure.co.za 17 35 From jonkman at jonkmans.com Wed Nov 4 19:51:17 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 19:51:17 -0500 Subject: [Emerging-Sigs] flowbit version of ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement In-Reply-To: <82C9F2B8-78D2-4C68-83C2-72CF7C43C790@auckland.ac.nz> References: <82C9F2B8-78D2-4C68-83C2-72CF7C43C790@auckland.ac.nz> Message-ID: <4AF22185.3020904@jonkmans.com> What the heck was I thinking? Those rules are the same other than flowbits. Combined them into one pair of rules. My bad, sorry! Matt Russell Fulton wrote: > Yeah, I know, bad form replying to ones self :-P > > On 5/11/2009, at 1:17 PM, Russell Fulton wrote: > >> I would remove the threshold for this rule. I am not seeing anything >> like this rate here. If we are worried about the volume of alerts the >> make it count 1, seconds 60. I have never seen more that one >> connection a minute.... >> >> Another thing, we how have two sets of rules with the same message >> which I find confusing. I have to drill right down to get the sid.... >> >> /home/snort/Rules/rules/emerging-virus.rules:alert udp $EXTERNAL_NET >> 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Palevo/BFBot/Mariposa server >> join acknowledgement"; dsize:8; content:"|40|"; depth:1; >> classtype:trojan-activity; flowbits:isset,ET.MariposaJoin; threshold: >> type limit, count 5, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2010226 >> ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa >> ; sid:2010226; rev:3;) >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Here is typical alert pattern we are seeing (original sigs): > > 2009-11-04 13:41:52 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.164 None 17 35 > 2009-11-04 13:41:53 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 64.150.160.109 multisure.co.za 17 35 > 2009-11-04 13:43:30 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.164 None 17 35 > 2009-11-04 13:43:30 ET TROJAN Palevo/BFBot/Mariposa server join > acknowledgement 124.232.145.201 None 130.216.89.90 None 17 36 > 2009-11-04 14:04:41 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.164 None 17 35 > 2009-11-04 14:04:41 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.201 None 17 35 > 2009-11-04 14:04:42 ET TROJAN Palevo/BFBot/Mariposa server join > acknowledgement 124.232.145.201 None 130.216.89.90 None 17 36 > 2009-11-04 14:13:52 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.201 None 17 2009-11-04 > 14:13:52 ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement > 124.232.145.201 None 130.216.89.90 None 17 36 > 2009-11-04 14:23:03 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.201 None 17 35 > 2009-11-04 14:24:39 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 124.232.145.164 None 17 35 > 2009-11-04 14:24:40 ET TROJAN Palevo/BFBot/Mariposa client join > attempt 130.216.89.90 None 64.150.160.109 multisure.co.za 17 35 > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 4 19:55:46 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 19:55:46 -0500 Subject: [Emerging-Sigs] Sigs/SVN Commits In-Reply-To: References: <4AF1D859.4020701@packetmail.net> <1257369050.53015.63.camel@localhost> Message-ID: <4AF22292.20500@jonkmans.com> I left some things uncommitted. I think we're all set now. Can you verify for me? Thanks Matt Kevin Ross wrote: > I am missing some too. For instance earlier a sig for an Altiris > function call was submitted that isn't coming down when I pull it (there > should be 4 sigs in total for Altiris in emerging-web_client.rules after > today but there is only the 3 existing ones although it had been > submitted, it is also missing from the daily changes update email). > > 2009/11/4 Frank Knobbe > > > On Wed, 2009-11-04 at 13:39 -0600, evilghost at packetmail.net > wrote: > > I'm not seeing the new rules committed today showing up in > > http://www.emergingthreats.net/rules/. It used to be instant > after you > > ran an SVN commit AFAIK. Are these now daily batched? For example, I > > used to update multiple times per day, sometimes immediately after a > > rule was committed from the list. > > > I checked my fetch dir and also above link for a few of the recent SID > (like Opachki). Looks to be all there. What SID are you missing? > > -Frank > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 4 20:00:35 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Nov 2009 20:00:35 -0500 Subject: [Emerging-Sigs] Proposed Signature, Eleonore Exploit Pack C&C Activity In-Reply-To: <4AF1DFA0.8010209@packetmail.net> References: <4AF1DFA0.8010209@packetmail.net> Message-ID: <4AF223B3.1010204@jonkmans.com> Posted, thanks! evilghost at packetmail.net wrote: > Proposed signature derived from information on > http://www.offensivecomputing.net/?q=node/1419 > > The papa*.cn URL is still active, check-in returns this information: > > http://*.cn/myl/bb.php?id=199826733&v=200&tm=2&b=01&tid=3&r=1 > [info]kill:0|delay:60|upd:1|backurls:http://*.cn/myl/bb.php[/info] > > This one is currently covered under SID 2009776 > > I'd like to also add detection for the URI > ?spl=2&br=MSIE&vers=7.0&s=ec445bc5411c202a8361c7db463e84b4 > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > Eleonore Exploit Pack activity"; flow:established,to_server; > uricontent:"?spl="; uricontent:"&br="; uricontent:"&vers="; > uricontent:"&s="; > pcre:"\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; > classtype:trojan-activity; > reference:url,www.offensivecomputing.net/?q=node/1419; sid:2009xxx; rev:1;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Wed Nov 4 23:50:13 2009 From: david.glosser at gmail.com (David Glosser) Date: Wed, 4 Nov 2009 23:50:13 -0500 Subject: [Emerging-Sigs] globaldirectory/updatetool.exe Message-ID: looks like zbot has globaldirectory/updatetool.exe in the URL.... http://www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on From signatures at stillsecure.com Thu Nov 5 04:14:14 2009 From: signatures at stillsecure.com (signatures) Date: Thu, 5 Nov 2009 02:14:14 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov - 05 - 2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2945@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/engine/api/api.class.php?"; nocase; uricontent:"dle_config_api="; nocase; pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html ; reference:url,milw0rm.com/exploits/9572; sid:2009204; rev:1;) 2. WEB-ATTACKS EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; content:"LicenseKey"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9684; sid:2009240; rev:1;) 3. WEB-PHP Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/editor/edit_htmlarea.php?"; nocase; uricontent:"highlighter="; nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/57679; sid:2009207; rev:1;) 4. WEB-PHP Ve-EDIT debug_php.php _GET Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/debugger/debug_php.php?"; nocase; uricontent:"_GET[filename]="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/57680; sid:2009208; rev:1;) 5. WEB-ATTACKS Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; content:"PlayerVersion"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/9682 ; sid:2009238; rev:1;) 6. WEB-ATTACKS QuarkMail get_message.cgi tf Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS QuarkMail get_message.cgi tf Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cgi-bin/get_message.cgi?"; nocase; uricontent:"&tf="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,www.vupen.com/english/advisories/2009/2460 ; sid:2009211; rev:1;) 7. WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite Function Call alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; classtype:attempted-user; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; sid:2009236; rev:1;) 8. WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite clsid Access alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; content:"SaveToFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; classtype:web-application-attack; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; sid:2009237; rev:1;) 9. WEB-PHP DvBBS boardrule.php groupboardid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/boardrule.php?"; nocase; uricontent:"groupboardid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,36282; sid:2009205; rev:1;) 10. WEB-PHP Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; sid:2009466; rev:1;) Looking forward for your inputs, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/ca3c1002/attachment-0001.html From kevross33 at googlemail.com Thu Nov 5 04:54:59 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 09:54:59 +0000 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov - 05 - 2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2945@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2945@webmail.latis.com> Message-ID: I already did one for number 5 (Shockwave). It was in emerging-current for about 3 weeks before Matt removed it once the patch had been distributed early in October. I think it should be re-introduced though because in large networks not everything is anywhere near as up to date as it should be and so machines will still be vulnerable. 2009/11/5 signatures > Hi Matt, > > Please find 10 New Signatures below: > > 1. *WEB-PHP Datalife Engine api.class.php dle_config_api Parameter > Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Datalife Engine api.class.php dle_config_api Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/engine/api/api.class.php?"; nocase; > uricontent:"dle_config_api="; nocase; > pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; reference:url, > www.juniper.net/security/auto/vulnerabilities/vuln36212.html; > reference:url,milw0rm.com/exploits/9572; sid:2009204; rev:1;) > > 2. *WEB-ATTACKS EasyMail Quicksoft ActiveX Control Remote code > excution clsid access attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > EasyMail Quicksoft ActiveX Control Remote code excution clsid access > attempt"; flow:to_client,established; content:"clsid"; nocase; > content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; > content:"LicenseKey"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; > classtype:web-application-attack; reference:url,milw0rm.com/exploits/9684; > sid:2009240; rev:1;) > > 3. *WEB-PHP Ve-EDIT edit_htmlarea.php highlighter Parameter Remote > File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/editor/edit_htmlarea.php?"; nocase; uricontent:"highlighter="; > nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/57679; > sid:2009207; rev:1;) > > 4. *WEB-PHP Ve-EDIT debug_php.php _GET Parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/debugger/debug_php.php?"; nocase; uricontent:"_GET[filename]="; > nocase; content:"../"; depth:200; classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/57680; sid:2009208; rev:1;) > > 5. *WEB-ATTACKS Adobe Shockwave Player ActiveX Control Buffer > Overflow clsid access* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; > flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; > nocase; content:"PlayerVersion"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; > classtype:web-application-attack; reference:url, > www.milw0rm.com/exploits/9682; sid:2009238; rev:1;) > > 6. *WEB-ATTACKS QuarkMail get_message.cgi tf Parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS > QuarkMail get_message.cgi tf Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/cgi-bin/get_message.cgi?"; nocase; uricontent:"&tf="; nocase; > content:"../"; depth:200; classtype:web-application-attack; reference:url, > www.vupen.com/english/advisories/2009/2460; sid:2009211; rev:1;) > > 7. *WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite > Function Call* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"WEB-ATTACKS > Installshiled 2009 premier ActiveX File Overwrite Function Call"; > flow:to_client,established; content:"ActiveXObject"; nocase; > content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; > nocase; classtype:attempted-user; reference:url, > packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; > sid:2009236; rev:1;) > > 8. *WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite > clsid Access* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Installshiled 2009 premier ActiveX File Overwrite clsid Access"; > flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; > nocase; content:"SaveToFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; > classtype:web-application-attack; reference:url, > packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; > sid:2009237; rev:1;) > > 9. *WEB-PHP DvBBS boardrule.php groupboardid Parameter SQL Injection > * > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > DvBBS boardrule.php groupboardid Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/boardrule.php?"; nocase; uricontent:"groupboardid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,36282; sid:2009205; rev:1;) > > 10. *WEB-PHP Joomla AjaxChat Component ajcuser.php GLOBALS Parameter > Remote File Inclusion Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File > Inclusion Attempt"; flow:to_server,established; > uricontent:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; > uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; > pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59056; > reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; > sid:2009466; rev:1;) > > Looking forward for your inputs, if any? > > Thanks & Regards, > StillSecure > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/f3fd4fd9/attachment.html From jonkman at jonkmans.com Thu Nov 5 05:59:12 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 05 Nov 2009 05:59:12 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov - 05 - 2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2945@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2945@webmail.latis.com> Message-ID: <4AF2B000.4040407@jonkmans.com> Posted, and thanks for noting #5 Kevin, re-added. Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *WEB-PHP Datalife Engine api.class.php dle_config_api Parameter > Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Datalife Engine api.class.php dle_config_api Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/engine/api/api.class.php?"; nocase; > uricontent:"dle_config_api="; nocase; > pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html > ; > reference:url,milw0rm.com/exploits/9572; sid:2009204; rev:1;) > > 2. *WEB-ATTACKS EasyMail Quicksoft ActiveX Control Remote code > excution clsid access attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > EasyMail Quicksoft ActiveX Control Remote code excution clsid access > attempt"; flow:to_client,established; content:"clsid"; nocase; > content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; > content:"LicenseKey"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/9684; sid:2009240; rev:1;) > > 3. *WEB-PHP Ve-EDIT edit_htmlarea.php highlighter Parameter Remote > File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/editor/edit_htmlarea.php?"; nocase; > uricontent:"highlighter="; nocase; > pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/57679; sid:2009207; rev:1;) > > 4. *WEB-PHP Ve-EDIT debug_php.php _GET Parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/debugger/debug_php.php?"; nocase; > uricontent:"_GET[filename]="; nocase; content:"../"; depth:200; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/57680; sid:2009208; rev:1;) > > 5. *WEB-ATTACKS Adobe Shockwave Player ActiveX Control Buffer > Overflow clsid access* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; > flow:established,to_client; > content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; > content:"PlayerVersion"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/9682 > ; sid:2009238; rev:1;) > > 6. *WEB-ATTACKS QuarkMail get_message.cgi tf Parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"WEB-ATTACKS QuarkMail get_message.cgi tf Parameter Local File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/cgi-bin/get_message.cgi?"; nocase; uricontent:"&tf="; > nocase; content:"../"; depth:200; classtype:web-application-attack; > reference:url,www.vupen.com/english/advisories/2009/2460 > ; sid:2009211; rev:1;) > > 7. *WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite > Function Call* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"WEB-ATTACKS > Installshiled 2009 premier ActiveX File Overwrite Function Call"; > flow:to_client,established; content:"ActiveXObject"; nocase; > content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; > content:"SaveToFile"; nocase; classtype:attempted-user; > reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; > sid:2009236; rev:1;) > > 8. *WEB-ATTACKS Installshiled 2009 premier ActiveX File Overwrite > clsid Access* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Installshiled 2009 premier ActiveX File Overwrite clsid Access"; > flow:established,to_client; > content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; > content:"SaveToFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; > classtype:web-application-attack; > reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; > sid:2009237; rev:1;) > > 9. *WEB-PHP DvBBS boardrule.php groupboardid Parameter SQL Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > DvBBS boardrule.php groupboardid Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/boardrule.php?"; nocase; uricontent:"groupboardid="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,36282; sid:2009205; rev:1;) > > 10. *WEB-PHP Joomla AjaxChat Component ajcuser.php GLOBALS Parameter > Remote File Inclusion Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File > Inclusion Attempt"; flow:to_server,established; > uricontent:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; > uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; > pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59056; > reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; > sid:2009466; rev:1;) > > Looking forward for your inputs, if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Nov 5 06:03:14 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 05 Nov 2009 06:03:14 -0500 Subject: [Emerging-Sigs] Proposed Signatures, WindowsEnterpriseSuite FakeAV In-Reply-To: <4AF1A3B0.2050806@packetmail.net> References: <4AF0C10C.70105@packetmail.net> <4AF0C588.4050908@jonkmans.com> <4AF0CABC.9010105@packetmail.net> <4AF0D91E.1010203@packetmail.net> <4AF16A48.1020605@jonkmans.com> <4AF1A3B0.2050806@packetmail.net> Message-ID: <4AF2B0F2.90907@jonkmans.com> I changed the pcre in the second to end with \x0d\x0a vs $. Not sure how $ works with snort. But otherwise great sigs! Thanks! Matt evilghost at packetmail.net wrote: > I have a PCAP from a secondary system from this malware and I believe I > can successfully sig the dynamic user agent detected/used during C&C > activity as well as an additional user-agent used/detected. Seeing > Wefa7e and Wee6a3. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; > flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 > (compatible\; TALWinHttpClient)|0d 0a|"; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan > WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; > flow:established,to_server; content:"|0d 0a|User-Agent\: We"; isdataat:6,relative; > content:"|0d 0a|"; distance:0; pcre:"/^User-Agent: We[a-z0-9]{4}$/; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; > sid:2009xxx; rev:1;) > > > -evilghost > > Matt Jonkman wrote: >> Done and posted, thanks! >> >> Matt >> >> evilghost at packetmail.net wrote: >> >>> PCRE incorrect, please add + after [A-Za-z0-9]. >>> >>> Should be >>> >>> pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/"; >>> >>> >>> Sorry about that. >>> >>> evilghost at packetmail.net wrote: >>> >>>> Thanks Matt. Additional Signature: >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>> WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; >>>> flow:established,to_server; >>>> content:"POST "; depth:5; uricontent:"/MicroinstallServiceReport.php"; >>>> content:"report="; content:"&pid="; >>>> content:"&wv="; >>>> pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/"; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>> sid:2009xxx; rev:1;) >>>> >>>> >>>> 13:20:48.745110 IP 192.168.35.21.1032 > 64.86.133.91.80: P 1:301(300) >>>> ack 1 win 65535 >>>> E..T.O at ...O...#. at V.[...P...S..t.P.......POST >>>> /Reports/MicroinstallServiceReport.php HTTP/1.1 >>>> Content-Type: application/x-www-form-urlencoded >>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR >>>> 1.0.2914) >>>> Host: bad_domain_removed_by_evilghost_due_to_spamfilter >>>> Content-Length: 42 >>>> Cache-Control: no-cache >>>> >>>> report=000000000010000000000&pid=3&wv=wvXP >>>> >>>> >>>> >>>> Matt Jonkman wrote: >>>> >>>> >>>>> Domains and url's in the ascii dumps were getting them spam filtered, >>>>> sorry for that. >>>>> >>>>> Posting now, great sigs! >>>>> >>>>> Matt >>>>> >>>>> evilghost at packetmail.net wrote: >>>>> >>>>> >>>>> >>>>>> I've tried to get this message through now four times, so this is my >>>>>> final try, I've stripped the PCAP ASCII decodes. Now you'll just have >>>>>> to take my word for it that these signatures match well and the >>>>>> rationale behind their construction was valid. Matt, no idea why this >>>>>> is happening. The message was also sent to you and Frank directly. My >>>>>> MTA logs show the messages being delivered to the list just fine. >>>>>> >>>>>> We are seeing an increase in the 'fake AV' style, here is the secondary >>>>>> check-in >>>>>> with download. Note the initial HTTP HEAD. Based on the structure of >>>>>> the URL >>>>>> I'm not sure that implementing a PCRE match would be valuable outside of the >>>>>> uricontent matching, except for POST. I also see tertiary activity >>>>>> where there >>>>>> is no HTTP HEAD, only a GET without the &pid string. This variant does some >>>>>> HOST file modifications, I believe get_product_domains.php is where the seed >>>>>> list for HOSTS comes from. Various User-Agents are used, some reporting >>>>>> as the >>>>>> actual malware name itself (5a8fd). Since it's dynamic, not really >>>>>> sig-able. >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>>> WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; >>>>>> content:"HEAD "; depth:5; uricontent:"?controller="; uricontent:"&abbr="; >>>>>> uricontent:"&setupType="; uricontent:"&ttl="; uricontent:"&pid="; >>>>>> classtype:trojan-activity; >>>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>>> sid:2009xxx; rev:1;) >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>>> WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; >>>>>> content:"GET "; depth:4; uricontent:"?controller="; uricontent:"&abbr="; >>>>>> uricontent:"&setupType="; uricontent:"&ttl="; classtype:trojan-activity; >>>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>>> sid:2009xxx; rev:1;) >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>>> WindowsEnterpriseSuite FakeAV get_product_domains.php"; >>>>>> flow:established,to_server; content:"GET "; depth:4; >>>>>> uricontent:"/reports/get_product_domains.php?abbr="; uricontent:"&pid="; >>>>>> classtype:trojan-activity; >>>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>>> sid:2009xxx; rev:1;) >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>>> WindowsEnterpriseSuite FakeAV Reporting via POST"; >>>>>> flow:established,to_server; >>>>>> content:"POST "; depth:5; content:"verint="; content:"&uid="; >>>>>> content:"&wv="; >>>>>> content:"&report="; content:"&abbr="; content:"&pid="; >>>>>> pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/"; >>>>>> classtype:trojan-activity; >>>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>>> sid:2009xxx; rev:1;) >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan >>>>>> WindowsEnterpriseSuite FakeAV User-Agent TALWinInetHTTPClient"; >>>>>> flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 >>>>>> (compatible\; TALWinInetHTTPClient)|0d 0a|"; classtype:trojan-activity; >>>>>> reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; >>>>>> sid:2009xxx; rev:1;) >>>>>> _______________________________________________ >>>>>> Emerging-sigs mailing list >>>>>> Emerging-sigs at emergingthreats.net >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Thu Nov 5 06:58:01 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 11:58:01 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix Message-ID: Here you go, Kev. # 2 New Rules alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; nocase; classtype:attempted-user; reference:url, www.securityfocus.com/bid/36580/info; reference:url, www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) # Performance Fix #Original Rule, I recommend this is split into 3 sigs so it is not applying a PCRE to every CLSID and ending up without a match: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url, www.microsoft.com/technet/security/bulletin/ms06-021.mspx; classtype:web-application-attack; reference:url, doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:2002971; rev:68;) #Replacemnt Rules: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000003; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000004; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000005; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/436fd359/attachment.html From jason.weir at nhrs.org Thu Nov 5 09:35:31 2009 From: jason.weir at nhrs.org (Weir, Jason) Date: Thu, 5 Nov 2009 09:35:31 -0500 Subject: [Emerging-Sigs] More virus attachments In-Reply-To: <4AE7307C.6050809@jonkmans.com> Message-ID: Here are some more.. WU_Details_97da9.zip WU_Details_3a9d0.zip WU_Details_b346f.zip WU_Details_634db.zip Facebook_Details_8c21b.zip -----Original Message----- From: Matt Jonkman [mailto:jonkman at jonkmans.com] Sent: Tuesday, October 27, 2009 1:40 PM To: Weir, Jason Cc: Emerging-Sigs Subject: Re: [Emerging-Sigs] More virus sigs? Added one for these. Good idea Jason! Matt Weir, Jason wrote: > Matt, > > The DHL sigs are working as advertised, here are some more. > > Facebook_Password_69fd8.zip > Facebook_Password_e40ae.zip > Facebook_Password_ca413.zip > Facebook_Password_d4fb2.zip > > This is why I block zip files at the perimeter.. > > -J > > -----Original Message----- > From: Matt Jonkman [mailto:jonkman at jonkmans.com] > Sent: Thursday, October 22, 2009 1:45 PM > To: Weir, Jason > Cc: Emerging-Sigs > Subject: Re: [Emerging-Sigs] More virus sigs? > > > I just got done copying a few of those this morning over to the sandnet > for analysis. Definitely a big one at the moment. > > How about: > > alert tcp $EXTERNAL_NET 1024: -> $SMTP_SERVERS 25 (msg:"ET > CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; > content:"Content-Disposition|3A| attachment\;"; nocase; > content:"filename"; within:100; content:"DHL_"; within:50; > pcre:"/filename\s*=\s*"DHL_(package_label_|print_label_)....\.zip/m"; > classtype:trojan-activity; sid:2010148; rev:1;) > > Doing the content-disposition/attachment stuff from memory. Am I right > there? > > Matt > > Weir, Jason wrote: >> My SPAM filter is blocking lots of the following attachments - not > sure >> if this is something we would like to sig.. >> >> DHL_package_label_10c6c.zip >> DHL_package_label_73d93.zip >> DHL_package_label_fceca.zip >> DHL_package_label_4faa6.zip >> DHL_print_label_0ab2d.zip >> >> I see this kind of thing from time to time because of the list of >> attachments we block - if you guys think this stuff is relevant I'll >> pass them on as I see them. >> >> -Jason _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From evilghost at packetmail.net Thu Nov 5 09:36:37 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Thu, 5 Nov 2009 08:36:37 -0600 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: References: Message-ID: <4AF2E2F5.2000301@packetmail.net> I'm not so sure about the HP LoadRunner one, any reason you're not including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? Honestly, that HP sig looks a little exploit specific, how about (and even below may not match well). Really, is 5c 5c required or is it just ..|5c|.. ? alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Function Call Attempt"; flow:to_client,established; content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; content:"..|5c 5c|..|5c 5c|.."; content:"MakeHttpRequest"; nocase; content:".Server"; nocase; content:".Script"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) As for the AOL super-buddy one, I just don't see that one being sigable and your signature looks like it will false anytime this ActiveX object is instanced, not just for the remote code execution (as you can see, it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with regard to these ActiveX signatures). IMHO I don't think these vulnerabilities are really sig-worthy/sig-capable with confidence and the processing power isn't worth their inclusion. Thanks -evilghost Kevin Ross wrote: > Here you go, Kev. > > # 2 New Rules > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function > Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; > content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; > nocase; classtype:attempted-user; reference:url, > www.securityfocus.com/bid/36580/info; reference:url, > www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary > File Download Function Call Attempt"; flow:to_client,established; > content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; > distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) > > # Performance Fix > #Original Rule, I recommend this is split into 3 sigs so it is not applying > a PCRE to every CLSID and ending up without a match: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > flow:established,from_server; content:"CLSID"; nocase; > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > reference:cve,2006-1303; reference:bugtraq,18328; reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > classtype:web-application-attack; reference:url, > doc.emergingthreats.net/2002971; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > sid:2002971; rev:68;) > > #Replacemnt Rules: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > reference:url,doc.emergingthreats.net/2002971; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > sid:19000003; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > reference:url,doc.emergingthreats.net/2002971; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > sid:19000004; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > reference:url,doc.emergingthreats.net/2002971; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > sid:19000005; rev:1;) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From kevross33 at googlemail.com Thu Nov 5 09:57:42 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 14:57:42 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: <4AF2E2F5.2000301@packetmail.net> References: <4AF2E2F5.2000301@packetmail.net> Message-ID: Coverage mostly (safety net). I started thinking it was good coverage to occasionally have coverage for the CLSID and the function like with the latest Altiris vulnerability. I use Altiris where I work and wrote 2 sigs, one to match the function and the other the CLSID as below (this wasn't as critical for me for a sig though as it it is the server part of Altiris which won't really be experiencing ActiveX vulnerabilities as a client would, the other vulnerability which affects Altiris clients on desktops was probably a bigger risk and maybe that is why a function call sig also was beneficial). I suppose as these things shouldn't be getting called from the Internet anyway though. I actually started doing it for some sigs after I saw it done by still secure when I wrote a sig for the CLSID and vulnerable function for the Altirix eXpress NS SC ActiveX client vulnerability and stilsecure had one for the function call that was submitted also (sids 2010011 and 2010190). Is it ever a good idea or do you think the function sigs are worthless? What about the performance fixes? Are they ok? Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; classtype:attempted-user; reference:url, www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url, sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url, doc.emergingthreats.net/2010227; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; sid:2010227; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; reference:url, www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url, sotiriu.de/adv/NSOADV-2009-001.txt; reference:url, securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; sid:2010245; rev:1;) 2009/11/5 evilghost at packetmail.net > I'm not so sure about the HP LoadRunner one, any reason you're not > including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? > Honestly, that HP sig looks a little exploit specific, how about (and > even below may not match well). Really, is 5c 5c required or is it just > ..|5c|.. ? > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary > File Download Function Call Attempt"; flow:to_client,established; > content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; > content:"..|5c 5c|..|5c 5c|.."; > content:"MakeHttpRequest"; nocase; > content:".Server"; nocase; content:".Script"; nocase; > classtype:attempted-user; > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) > > As for the AOL super-buddy one, I just don't see that one being sigable > and your signature looks like it will false anytime this ActiveX object > is instanced, not just for the remote code execution (as you can see, > it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with > regard to these ActiveX signatures). IMHO I don't think these > vulnerabilities are really sig-worthy/sig-capable with confidence and > the processing power isn't worth their inclusion. > > Thanks > -evilghost > > > Kevin Ross wrote: > > Here you go, Kev. > > > > # 2 New Rules > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > > ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function > > Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; > > content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; > > nocase; classtype:attempted-user; reference:url, > > www.securityfocus.com/bid/36580/info; reference:url, > > www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > Arbitrary > > File Download Function Call Attempt"; flow:to_client,established; > > content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; > > distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; > > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > rev:1;) > > > > # Performance Fix > > #Original Rule, I recommend this is split into 3 sigs so it is not > applying > > a PCRE to every CLSID and ending up without a match: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > > flow:established,from_server; content:"CLSID"; nocase; > > > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > > reference:cve,2006-1303; reference:bugtraq,18328; reference:url, > > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > classtype:web-application-attack; reference:url, > > doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:2002971; rev:68;) > > > > #Replacemnt Rules: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000003; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000004; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000005; rev:1;) > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/59932a1c/attachment.html From kevross33 at googlemail.com Thu Nov 5 10:19:57 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 15:19:57 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: <4AF2E2F5.2000301@packetmail.net> References: <4AF2E2F5.2000301@packetmail.net> Message-ID: Oh and with regard to them being worth it, I think it is better than nothing until some better method comes along. It may be possible to get past the sig and then on that logic it can be said because it is possible to bypass the sig it isn't worth writing a sig for it, what then happens when that ActiveX vulnerability is exploited and it is not obscufiated? Then you have missed it anyway, concealed or not. I would prefer at least some coverage, even that is easy enough to get past then none at all. 2009/11/5 evilghost at packetmail.net > I'm not so sure about the HP LoadRunner one, any reason you're not > including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? > Honestly, that HP sig looks a little exploit specific, how about (and > even below may not match well). Really, is 5c 5c required or is it just > ..|5c|.. ? > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary > File Download Function Call Attempt"; flow:to_client,established; > content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; > content:"..|5c 5c|..|5c 5c|.."; > content:"MakeHttpRequest"; nocase; > content:".Server"; nocase; content:".Script"; nocase; > classtype:attempted-user; > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) > > As for the AOL super-buddy one, I just don't see that one being sigable > and your signature looks like it will false anytime this ActiveX object > is instanced, not just for the remote code execution (as you can see, > it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with > regard to these ActiveX signatures). IMHO I don't think these > vulnerabilities are really sig-worthy/sig-capable with confidence and > the processing power isn't worth their inclusion. > > Thanks > -evilghost > > > Kevin Ross wrote: > > Here you go, Kev. > > > > # 2 New Rules > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > > ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function > > Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; > > content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; > > nocase; classtype:attempted-user; reference:url, > > www.securityfocus.com/bid/36580/info; reference:url, > > www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > Arbitrary > > File Download Function Call Attempt"; flow:to_client,established; > > content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; > > distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; > > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > rev:1;) > > > > # Performance Fix > > #Original Rule, I recommend this is split into 3 sigs so it is not > applying > > a PCRE to every CLSID and ending up without a match: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > > flow:established,from_server; content:"CLSID"; nocase; > > > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > > reference:cve,2006-1303; reference:bugtraq,18328; reference:url, > > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > classtype:web-application-attack; reference:url, > > doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:2002971; rev:68;) > > > > #Replacemnt Rules: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000003; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000004; rev:1;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > > reference:url,doc.emergingthreats.net/2002971; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > > sid:19000005; rev:1;) > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/323246cc/attachment-0001.html From evilghost at packetmail.net Thu Nov 5 10:26:40 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Thu, 5 Nov 2009 09:26:40 -0600 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: References: <4AF2E2F5.2000301@packetmail.net> Message-ID: <4AF2EEB0.10302@packetmail.net> True, at least we'll be protected from PoC. Sadly, adding minimal and trivial obfuscation tends to evade most of these type signatures. I'm not sure what the solution is. I do still think including the CLSID is the way to go instead of depending solely on function and variable names. Thanks -evilghost Kevin Ross wrote: > Oh and with regard to them being worth it, I think it is better than nothing > until some better method comes along. It may be possible to get past the sig > and then on that logic it can be said because it is possible to bypass the > sig it isn't worth writing a sig for it, what then happens when that ActiveX > vulnerability is exploited and it is not obscufiated? Then you have missed > it anyway, concealed or not. I would prefer at least some coverage, even > that is easy enough to get past then none at all. > > 2009/11/5 evilghost at packetmail.net > > >> I'm not so sure about the HP LoadRunner one, any reason you're not >> including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? >> Honestly, that HP sig looks a little exploit specific, how about (and >> even below may not match well). Really, is 5c 5c required or is it just >> ..|5c|.. ? >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT >> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary >> File Download Function Call Attempt"; flow:to_client,established; >> content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; >> content:"..|5c 5c|..|5c 5c|.."; >> content:"MakeHttpRequest"; nocase; >> content:".Server"; nocase; content:".Script"; nocase; >> classtype:attempted-user; >> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) >> >> As for the AOL super-buddy one, I just don't see that one being sigable >> and your signature looks like it will false anytime this ActiveX object >> is instanced, not just for the remote code execution (as you can see, >> it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with >> regard to these ActiveX signatures). IMHO I don't think these >> vulnerabilities are really sig-worthy/sig-capable with confidence and >> the processing power isn't worth their inclusion. >> >> Thanks >> -evilghost >> >> >> Kevin Ross wrote: >> >>> Here you go, Kev. >>> >>> # 2 New Rules >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT >>> ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function >>> Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; >>> content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; >>> nocase; classtype:attempted-user; reference:url, >>> www.securityfocus.com/bid/36580/info; reference:url, >>> www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT >>> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest >>> >> Arbitrary >> >>> File Download Function Call Attempt"; flow:to_client,established; >>> content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; >>> distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; >>> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; >>> >> rev:1;) >> >>> # Performance Fix >>> #Original Rule, I recommend this is split into 3 sigs so it is not >>> >> applying >> >>> a PCRE to every CLSID and ending up without a match: >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; >>> flow:established,from_server; content:"CLSID"; nocase; >>> >>> >> pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; >> >>> reference:cve,2006-1303; reference:bugtraq,18328; reference:url, >>> www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >>> classtype:web-application-attack; reference:url, >>> doc.emergingthreats.net/2002971; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >>> sid:2002971; rev:68;) >>> >>> #Replacemnt Rules: >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >>> content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; >>> >>> >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; >> >>> classtype:attempted-user; reference:cve,2006-1303; >>> >> reference:bugtraq,18328; >> >>> reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >>> reference:url,doc.emergingthreats.net/2002971; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >>> sid:19000003; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >>> content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; >>> >>> >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; >> >>> classtype:attempted-user; reference:cve,2006-1303; >>> >> reference:bugtraq,18328; >> >>> reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >>> reference:url,doc.emergingthreats.net/2002971; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >>> sid:19000004; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >>> content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; >>> >>> >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; >> >>> classtype:attempted-user; reference:cve,2006-1303; >>> >> reference:bugtraq,18328; >> >>> reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >>> reference:url,doc.emergingthreats.net/2002971; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >>> sid:19000005; rev:1;) >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > From guise.mcallaster at gmail.com Thu Nov 5 10:28:40 2009 From: guise.mcallaster at gmail.com (Guise McAllaster) Date: Thu, 5 Nov 2009 15:28:40 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: References: <4AF2E2F5.2000301@packetmail.net> Message-ID: Hey mate, I am beginning to suspect that you are a British Sourcefire VRT plant. It's OK, you can admit it; we won't be upset at all but will be glad to know the truth :) -Guise On 11/5/09, Kevin Ross wrote: > Coverage mostly (safety net). I started thinking it was good coverage to > occasionally have coverage for the CLSID and the function like with the > latest Altiris vulnerability. I use Altiris where I work and wrote 2 sigs, > one to match the function and the other the CLSID as below (this wasn't as > critical for me for a sig though as it it is the server part of Altiris > which won't really be experiencing ActiveX vulnerabilities as a client > would, the other vulnerability which affects Altiris clients on desktops was > probably a bigger risk and maybe that is why a function call sig also was > beneficial). > > I suppose as these things shouldn't be getting called from the Internet > anyway though. I actually started doing it for some sigs after I saw it done > by still secure when I wrote a sig for the CLSID and vulnerable function for > the Altirix eXpress NS SC ActiveX client vulnerability and stilsecure had > one for the function call that was submitted also (sids 2010011 and > 2010190). > > Is it ever a good idea or do you think the function sigs are worthless? What > about the performance fixes? Are they ok? > > Kev > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control > BrowseAndSaveFile Method Buffer Overflow Attempt"; > flow:established,from_server; content:"clsid"; nocase; > content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; > content:"BrowseAndSaveFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; > classtype:attempted-user; reference:url, > www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; > reference:url,www.securityfocus.com/bid/36698/info; reference:url, > sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url, > doc.emergingthreats.net/2010227; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; > sid:2010227; rev:2;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control > BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; > flow:to_client,established; content:"ActiveXObject"; nocase; > content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; > content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; > reference:url, > www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; > reference:url,www.securityfocus.com/bid/36698/info; reference:url, > sotiriu.de/adv/NSOADV-2009-001.txt; reference:url, > securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; > sid:2010245; rev:1;) > > > 2009/11/5 evilghost at packetmail.net > >> I'm not so sure about the HP LoadRunner one, any reason you're not >> including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? >> Honestly, that HP sig looks a little exploit specific, how about (and >> even below may not match well). Really, is 5c 5c required or is it just >> ..|5c|.. ? >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT >> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest >> Arbitrary >> File Download Function Call Attempt"; flow:to_client,established; >> content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; >> content:"..|5c 5c|..|5c 5c|.."; >> content:"MakeHttpRequest"; nocase; >> content:".Server"; nocase; content:".Script"; nocase; >> classtype:attempted-user; >> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; rev:1;) >> >> As for the AOL super-buddy one, I just don't see that one being sigable >> and your signature looks like it will false anytime this ActiveX object >> is instanced, not just for the remote code execution (as you can see, >> it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with >> regard to these ActiveX signatures). IMHO I don't think these >> vulnerabilities are really sig-worthy/sig-capable with confidence and >> the processing power isn't worth their inclusion. >> >> Thanks >> -evilghost >> >> >> Kevin Ross wrote: >> > Here you go, Kev. >> > >> > # 2 New Rules >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET >> > WEB_CLIENT >> > ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function >> > Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; >> > content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; >> > nocase; classtype:attempted-user; reference:url, >> > www.securityfocus.com/bid/36580/info; reference:url, >> > www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) >> > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET >> > WEB_CLIENT >> > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest >> Arbitrary >> > File Download Function Call Attempt"; flow:to_client,established; >> > content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; >> > distance:0; content:"MakeHttpRequest"; nocase; classtype:attempted-user; >> > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; >> rev:1;) >> > >> > # Performance Fix >> > #Original Rule, I recommend this is split into 3 sigs so it is not >> applying >> > a PCRE to every CLSID and ending up without a match: >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; >> > flow:established,from_server; content:"CLSID"; nocase; >> > >> pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; >> > reference:cve,2006-1303; reference:bugtraq,18328; reference:url, >> > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >> > classtype:web-application-attack; reference:url, >> > doc.emergingthreats.net/2002971; reference:url, >> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >> > sid:2002971; rev:68;) >> > >> > #Replacemnt Rules: >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 >> > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >> > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; >> > >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; >> > classtype:attempted-user; reference:cve,2006-1303; >> reference:bugtraq,18328; >> > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >> > reference:url,doc.emergingthreats.net/2002971; reference:url, >> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >> > sid:19000003; rev:1;) >> > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 >> > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >> > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; >> > >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; >> > classtype:attempted-user; reference:cve,2006-1303; >> reference:bugtraq,18328; >> > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >> > reference:url,doc.emergingthreats.net/2002971; reference:url, >> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >> > sid:19000004; rev:1;) >> > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 >> > Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; >> > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; >> > >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; >> > classtype:attempted-user; reference:cve,2006-1303; >> reference:bugtraq,18328; >> > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; >> > reference:url,doc.emergingthreats.net/2002971; reference:url, >> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; >> > sid:19000005; rev:1;) >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > From kevross33 at googlemail.com Thu Nov 5 14:10:07 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 19:10:07 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: References: <4AF2E2F5.2000301@packetmail.net> Message-ID: Me? Why? A British Plant, how very James Bond :) And I wish, if I worked for Sourcefire I would get paid for writing sigs (Then again I am sure they would make you sign something saying all sigs you write are property of Sourcefire), get to make pig rockets and flame-throwers which would be fun and wouldn't have to do on call or deal with most of the stuff I have to do at work lol (Although I do really like where I work, plenty technology to play with). :) 2009/11/5 Guise McAllaster > Hey mate, I am beginning to suspect that you are a British Sourcefire > VRT plant. It's OK, you can admit it; we won't be upset at all but > will be glad to know the truth :) > > -Guise > > On 11/5/09, Kevin Ross wrote: > > Coverage mostly (safety net). I started thinking it was good coverage to > > occasionally have coverage for the CLSID and the function like with the > > latest Altiris vulnerability. I use Altiris where I work and wrote 2 > sigs, > > one to match the function and the other the CLSID as below (this wasn't > as > > critical for me for a sig though as it it is the server part of Altiris > > which won't really be experiencing ActiveX vulnerabilities as a client > > would, the other vulnerability which affects Altiris clients on desktops > was > > probably a bigger risk and maybe that is why a function call sig also was > > beneficial). > > > > I suppose as these things shouldn't be getting called from the Internet > > anyway though. I actually started doing it for some sigs after I saw it > done > > by still secure when I wrote a sig for the CLSID and vulnerable function > for > > the Altirix eXpress NS SC ActiveX client vulnerability and stilsecure had > > one for the function call that was submitted also (sids 2010011 and > > 2010190). > > > > Is it ever a good idea or do you think the function sigs are worthless? > What > > about the performance fixes? Are they ok? > > > > Kev > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > > Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX > Control > > BrowseAndSaveFile Method Buffer Overflow Attempt"; > > flow:established,from_server; content:"clsid"; nocase; > > content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; > > content:"BrowseAndSaveFile"; nocase; > > > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; > > classtype:attempted-user; reference:url, > > > www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 > ; > > reference:url,www.securityfocus.com/bid/36698/info; reference:url, > > sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; > reference:url, > > doc.emergingthreats.net/2010227; reference:url, > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec; > > sid:2010227; rev:2;) > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT > > ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX > Control > > BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; > > flow:to_client,established; content:"ActiveXObject"; nocase; > > content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; > > content:"BrowseAndSaveFile"; nocase; classtype:attempted-user; > > reference:url, > > > www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 > ; > > reference:url,www.securityfocus.com/bid/36698/info; reference:url, > > sotiriu.de/adv/NSOADV-2009-001.txt; reference:url, > > securitytracker.com/alerts/2009/Nov/1023122.html; > reference:cve,2009-3031; > > sid:2010245; rev:1;) > > > > > > 2009/11/5 evilghost at packetmail.net > > > >> I'm not so sure about the HP LoadRunner one, any reason you're not > >> including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? > >> Honestly, that HP sig looks a little exploit specific, how about (and > >> even below may not match well). Really, is 5c 5c required or is it just > >> ..|5c|.. ? > >> > >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > WEB_CLIENT > >> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > >> Arbitrary > >> File Download Function Call Attempt"; flow:to_client,established; > >> content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; > >> content:"..|5c 5c|..|5c 5c|.."; > >> content:"MakeHttpRequest"; nocase; > >> content:".Server"; nocase; content:".Script"; nocase; > >> classtype:attempted-user; > >> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > rev:1;) > >> > >> As for the AOL super-buddy one, I just don't see that one being sigable > >> and your signature looks like it will false anytime this ActiveX object > >> is instanced, not just for the remote code execution (as you can see, > >> it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with > >> regard to these ActiveX signatures). IMHO I don't think these > >> vulnerabilities are really sig-worthy/sig-capable with confidence and > >> the processing power isn't worth their inclusion. > >> > >> Thanks > >> -evilghost > >> > >> > >> Kevin Ross wrote: > >> > Here you go, Kev. > >> > > >> > # 2 New Rules > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > >> > WEB_CLIENT > >> > ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function > >> > Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; > >> > content:"Sb.SuperBuddy.1"; nocase; distance:0; > content:"SetSuperBuddy"; > >> > nocase; classtype:attempted-user; reference:url, > >> > www.securityfocus.com/bid/36580/info; reference:url, > >> > www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) > >> > > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > >> > WEB_CLIENT > >> > ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > >> Arbitrary > >> > File Download Function Call Attempt"; flow:to_client,established; > >> > content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; > >> > distance:0; content:"MakeHttpRequest"; nocase; > classtype:attempted-user; > >> > reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > >> rev:1;) > >> > > >> > # Performance Fix > >> > #Original Rule, I recommend this is split into 3 sigs so it is not > >> applying > >> > a PCRE to every CLSID and ending up without a match: > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > >> > flow:established,from_server; content:"CLSID"; nocase; > >> > > >> > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > >> > reference:cve,2006-1303; reference:bugtraq,18328; reference:url, > >> > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >> > classtype:web-application-attack; reference:url, > >> > doc.emergingthreats.net/2002971; reference:url, > >> > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >> > sid:2002971; rev:68;) > >> > > >> > #Replacemnt Rules: > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > >> > Access Attempt"; flow:established,from_server; content:"CLSID"; > nocase; > >> > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > >> > > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > >> > classtype:attempted-user; reference:cve,2006-1303; > >> reference:bugtraq,18328; > >> > reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >> > reference:url,doc.emergingthreats.net/2002971; reference:url, > >> > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >> > sid:19000003; rev:1;) > >> > > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > >> > Access Attempt"; flow:established,from_server; content:"CLSID"; > nocase; > >> > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > >> > > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > >> > classtype:attempted-user; reference:cve,2006-1303; > >> reference:bugtraq,18328; > >> > reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >> > reference:url,doc.emergingthreats.net/2002971; reference:url, > >> > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >> > sid:19000004; rev:1;) > >> > > >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >> > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > >> > Access Attempt"; flow:established,from_server; content:"CLSID"; > nocase; > >> > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > >> > > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > >> > classtype:attempted-user; reference:cve,2006-1303; > >> reference:bugtraq,18328; > >> > reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >> > reference:url,doc.emergingthreats.net/2002971; reference:url, > >> > > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >> > sid:19000005; rev:1;) > >> > > >> > > >> > > ------------------------------------------------------------------------ > >> > > >> > _______________________________________________ > >> > Emerging-sigs mailing list > >> > Emerging-sigs at emergingthreats.net > >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/4d1dde0e/attachment.html From kevross33 at googlemail.com Thu Nov 5 14:18:14 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 5 Nov 2009 19:18:14 +0000 Subject: [Emerging-Sigs] 2 new Sigs and Performance Fix In-Reply-To: <4AF2EEB0.10302@packetmail.net> References: <4AF2E2F5.2000301@packetmail.net> <4AF2EEB0.10302@packetmail.net> Message-ID: Perhaps the solution may be found in the new IDS/IPS that is being developed by OISF? Maybe something along the lines of if it sees through whatever method or at least there is a good chance of obfuscation trying to hide something, then it can pass it to either another system for further analysis or do it locally to try and remove the obfuscation and then perhaps compare that against its know sigs for ActiveX, Malware etc and even if it doesn't find something keep it about for an analyst to look at. I don't really know how such a thing could be done as I am not a programmer, still would be cool (though if deployed inline that could be an issue for performance). Perhaps even then if it sees obfuscation from an IP address it can give that IP a rating (configurable, i.e block it if you see it or raise that IP's hostility in the reputation system? 2009/11/5 evilghost at packetmail.net > True, at least we'll be protected from PoC. Sadly, adding minimal and > trivial obfuscation tends to evade most of these type signatures. I'm > not sure what the solution is. I do still think including the CLSID is > the way to go instead of depending solely on function and variable names. > > Thanks > -evilghost > > Kevin Ross wrote: > > Oh and with regard to them being worth it, I think it is better than > nothing > > until some better method comes along. It may be possible to get past the > sig > > and then on that logic it can be said because it is possible to bypass > the > > sig it isn't worth writing a sig for it, what then happens when that > ActiveX > > vulnerability is exploited and it is not obscufiated? Then you have > missed > > it anyway, concealed or not. I would prefer at least some coverage, even > > that is easy enough to get past then none at all. > > > > 2009/11/5 evilghost at packetmail.net > > > > > >> I'm not so sure about the HP LoadRunner one, any reason you're not > >> including clsid:E87F6C8E-16C0-11D3-BEF7-009027438003 in there? > >> Honestly, that HP sig looks a little exploit specific, how about (and > >> even below may not match well). Really, is 5c 5c required or is it just > >> ..|5c|.. ? > >> > >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > WEB_CLIENT > >> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > Arbitrary > >> File Download Function Call Attempt"; flow:to_client,established; > >> content:"clsid:E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; > >> content:"..|5c 5c|..|5c 5c|.."; > >> content:"MakeHttpRequest"; nocase; > >> content:".Server"; nocase; content:".Script"; nocase; > >> classtype:attempted-user; > >> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > rev:1;) > >> > >> As for the AOL super-buddy one, I just don't see that one being sigable > >> and your signature looks like it will false anytime this ActiveX object > >> is instanced, not just for the remote code execution (as you can see, > >> it's obfuscated JavaScript PoC, an ongoing theme I keep mentioning with > >> regard to these ActiveX signatures). IMHO I don't think these > >> vulnerabilities are really sig-worthy/sig-capable with confidence and > >> the processing power isn't worth their inclusion. > >> > >> Thanks > >> -evilghost > >> > >> > >> Kevin Ross wrote: > >> > >>> Here you go, Kev. > >>> > >>> # 2 New Rules > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > WEB_CLIENT > >>> ACTIVEX AOL SuperBuddy ActiveX Control Remote Code Execution Function > >>> Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; > >>> content:"Sb.SuperBuddy.1"; nocase; distance:0; content:"SetSuperBuddy"; > >>> nocase; classtype:attempted-user; reference:url, > >>> www.securityfocus.com/bid/36580/info; reference:url, > >>> www.securityfocus.com/archive/1/506889; sid:19000001; rev:1;) > >>> > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET > WEB_CLIENT > >>> ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest > >>> > >> Arbitrary > >> > >>> File Download Function Call Attempt"; flow:to_client,established; > >>> content:"ActiveXObject"; nocase; content:"Persits.XUpload.2"; nocase; > >>> distance:0; content:"MakeHttpRequest"; nocase; > classtype:attempted-user; > >>> reference:url,www.securityfocus.com/bid/36550/info; sid:19000002; > >>> > >> rev:1;) > >> > >>> # Performance Fix > >>> #Original Rule, I recommend this is split into 3 sigs so it is not > >>> > >> applying > >> > >>> a PCRE to every CLSID and ending up without a match: > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > >>> flow:established,from_server; content:"CLSID"; nocase; > >>> > >>> > >> > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > >> > >>> reference:cve,2006-1303; reference:bugtraq,18328; reference:url, > >>> www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >>> classtype:web-application-attack; reference:url, > >>> doc.emergingthreats.net/2002971; reference:url, > >>> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >>> sid:2002971; rev:68;) > >>> > >>> #Replacemnt Rules: > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > >>> content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > >>> > >>> > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > >> > >>> classtype:attempted-user; reference:cve,2006-1303; > >>> > >> reference:bugtraq,18328; > >> > >>> reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >>> reference:url,doc.emergingthreats.net/2002971; reference:url, > >>> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >>> sid:19000003; rev:1;) > >>> > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > >>> content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > >>> > >>> > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > >> > >>> classtype:attempted-user; reference:cve,2006-1303; > >>> > >> reference:bugtraq,18328; > >> > >>> reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >>> reference:url,doc.emergingthreats.net/2002971; reference:url, > >>> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >>> sid:19000004; rev:1;) > >>> > >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT > >>> ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > >>> Access Attempt"; flow:established,from_server; content:"CLSID"; nocase; > >>> content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > >>> > >>> > >> > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > >> > >>> classtype:attempted-user; reference:cve,2006-1303; > >>> > >> reference:bugtraq,18328; > >> > >>> reference:url, > www.microsoft.com/technet/security/bulletin/ms06-021.mspx; > >>> reference:url,doc.emergingthreats.net/2002971; reference:url, > >>> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; > >>> sid:19000005; rev:1;) > >>> > >>> > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091105/59dc79ae/attachment-0001.html From emerging at emergingthreats.net Thu Nov 5 16:00:13 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 5 Nov 2009 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091105210013.CA4B74502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Nov 5 16:00:13 2009 [***] [+++] Added rules: [+++] 2010240 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD (emerging-virus.rules) 2010241 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET (emerging-virus.rules) 2010242 - ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php (emerging-virus.rules) 2010243 - ET TROJAN Agent.END (emerging-virus.rules) 2010244 - ET TROJAN Obitel Downloader Request (emerging-virus.rules) 2010245 - ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call (emerging-web_client.rules) 2010246 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in (emerging-virus.rules) 2010247 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST (emerging-virus.rules) 2010248 - ET TROJAN Eleonore Exploit Pack activity (emerging-virus.rules) 2010250 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) (emerging-current_events.rules) 2010251 - ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) (emerging-current_events.rules) 2010252 - ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010253 - ET WEB_CLIENT EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt (emerging-web_client.rules) 2010254 - ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010255 - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion (emerging-web_specific_apps.rules) 2010256 - ET WEB_CLIENT Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access (emerging-web_client.rules) 2010257 - ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite Function Call (emerging-web_client.rules) 2010258 - ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite clsid Access (emerging-web_client.rules) 2010259 - ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010260 - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010261 - ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient (emerging-virus.rules) 2010262 - ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent (emerging-virus.rules) 20102449 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) (emerging-current_events.rules) [///] Modified active rules: [///] 2008450 - ET TROJAN Donbot Connect to CnC (emerging-virus.rules) 2008451 - ET TROJAN Donbot Report to CnC (emerging-virus.rules) 2010100 - ET TROJAN Palevo/BFBot/Mariposa client join attempt (emerging-virus.rules) 2010101 - ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement (emerging-virus.rules) 2010230 - ET TROJAN W32.Koblu (emerging-virus.rules) [---] Removed rules: [---] 2010225 - ET TROJAN Palevo/BFBot/Mariposa client join attempt (emerging-virus.rules) 2010226 - ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #by phrantic -> Added to emerging-sid-msg.map (41): 2008450 || ET TROJAN Donbot Connect to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donbot || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html || url,doc.emergingthreats.net/2008450 2008451 || ET TROJAN Donbot Report to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008451 || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html 2010240 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010240 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010241 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010241 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010242 || ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010242 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010243 || ET TROJAN Agent.END || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.end || url,doc.emergingthreats.net/2010243 2010244 || ET TROJAN Obitel Downloader Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Obitel || url,doc.emergingthreats.net/2010244 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A 2010245 || ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris || url,doc.emergingthreats.net/2010245 || cve,2009-3031 || url,securitytracker.com/alerts/2009/Nov/1023122.html || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010246 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010246 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010247 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010247 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010248 || ET TROJAN Eleonore Exploit Pack activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eleaonore || url,doc.emergingthreats.net/2010248 || url,www.offensivecomputing.net/?q=node/1419 2010250 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010250 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010251 || ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010251 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010252 || ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Datalife || url,doc.emergingthreats.net/2010252 || url,milw0rm.com/exploits/9572 || url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html 2010253 || ET WEB_CLIENT EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail || url,doc.emergingthreats.net/2010253 || url,milw0rm.com/exploits/9684 2010254 || ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_VeEdit || url,doc.emergingthreats.net/2010254 || url,osvdb.org/show/osvdb/57679 2010255 || ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_VeEdit || url,doc.emergingthreats.net/2010255 || url,osvdb.org/show/osvdb/57680 2010256 || ET WEB_CLIENT Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Adobe || url,doc.emergingthreats.net/2010256 || url,www.milw0rm.com/exploits/9682 2010257 || ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield || url,doc.emergingthreats.net/2010257 || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt 2010258 || ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite clsid Access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield || url,doc.emergingthreats.net/2010258 || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt 2010259 || ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DVBBS || url,doc.emergingthreats.net/2010259 || bugtraq,36282 2010260 || ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010260 || url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt || url,osvdb.org/show/osvdb/59056 2010261 || ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010261 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010262 || ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010262 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 20102449 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on -> Added to emerging-sid-msg.map.txt (41): 2008450 || ET TROJAN Donbot Connect to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donbot || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html || url,doc.emergingthreats.net/2008450 2008451 || ET TROJAN Donbot Report to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008451 || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html 2010240 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010240 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010241 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010241 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010242 || ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010242 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010243 || ET TROJAN Agent.END || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.end || url,doc.emergingthreats.net/2010243 2010244 || ET TROJAN Obitel Downloader Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Obitel || url,doc.emergingthreats.net/2010244 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A 2010245 || ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Altiris || url,doc.emergingthreats.net/2010245 || cve,2009-3031 || url,securitytracker.com/alerts/2009/Nov/1023122.html || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,www.securityfocus.com/bid/36698/info || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 2010246 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010246 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010247 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010247 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010248 || ET TROJAN Eleonore Exploit Pack activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eleaonore || url,doc.emergingthreats.net/2010248 || url,www.offensivecomputing.net/?q=node/1419 2010250 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010250 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010251 || ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010251 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010252 || ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Datalife || url,doc.emergingthreats.net/2010252 || url,milw0rm.com/exploits/9572 || url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html 2010253 || ET WEB_CLIENT EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EasyMail || url,doc.emergingthreats.net/2010253 || url,milw0rm.com/exploits/9684 2010254 || ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_VeEdit || url,doc.emergingthreats.net/2010254 || url,osvdb.org/show/osvdb/57679 2010255 || ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_VeEdit || url,doc.emergingthreats.net/2010255 || url,osvdb.org/show/osvdb/57680 2010256 || ET WEB_CLIENT Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Adobe || url,doc.emergingthreats.net/2010256 || url,www.milw0rm.com/exploits/9682 2010257 || ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite Function Call || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield || url,doc.emergingthreats.net/2010257 || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt 2010258 || ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite clsid Access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_InstallShield || url,doc.emergingthreats.net/2010258 || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt 2010259 || ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DVBBS || url,doc.emergingthreats.net/2010259 || bugtraq,36282 2010260 || ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010260 || url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt || url,osvdb.org/show/osvdb/59056 2010261 || ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010261 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2010262 || ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_WindowsEnterpriseFakeAV || url,doc.emergingthreats.net/2010262 || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 20102449 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2008450 || ET TROJAN Buzus.lyz Connect to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008450 2008451 || ET TROJAN Buzus.lyz Report to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008451 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010225 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010226 -> Removed from emerging-sid-msg.map.txt (4): 2008450 || ET TROJAN Buzus.lyz Connect to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008450 2008451 || ET TROJAN Buzus.lyz Report to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008451 2010225 || ET TROJAN Palevo/BFBot/Mariposa client join attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010225 2010226 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa || url,doc.emergingthreats.net/2010226 -> Removed from emerging-virus.rules (1): #anonymous writer, sent in by Russell Fulton, improved by jerry at cybercave From phatbuckett at gmail.com Thu Nov 5 19:54:31 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 5 Nov 2009 17:54:31 -0700 Subject: [Emerging-Sigs] Dosenjo/Kvadr trojan proxy rule Message-ID: <839aec700911051654y29a0d3ccledc3efea0774eb85@mail.gmail.com> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; uricontent:"hingDeny="; nocase; uricontent:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/U"; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; sid:XXXXXXX; rev:1;) Sandbox reports show a few variations of requests from different versions or variants of this malware... http://anubis.iseclab.org/?action=result&task_id=146c30cf39d573eb431bba0f43ba26c6e&format=html http://www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 http://www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 Sample requests/URIs: /reg.php?cashingDeny=zUBb961m7wCPf49I&id=jACMXa7Ai0nCF94y&ver=1&acc=12&dll=1 /l.php?cashingDeny=sutEJNPLQnYUQ8dH&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=XP /l.php?cashingDeny=wz52w2l61uaPColQ&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=XP /l.php?cashingDeny=YY4022WP49rXOvaz&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=XP /l.php?cashingDeny=NIl0X1UyQJ5U5Dag&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=XP install-adobe-flash.com/s.html?cachingDeny=MDVbX4VWg55G75O7&id=WIWMloFsX2SBmXHQ install-adobe-flash.com/h.php?cachingDeny=ZfG30z4Nj2Ad6G1v&id=WIWMloFsX2SBmXHQ&ip=&mode=undefined&dll=1 install-adobe-flash.com/u.php?cashingDeny=H1wwZGHGgFdWvGAO&id=WIWMloFsX2SBmXHQ&dll=1 install-adobe-flash.com/s.html?cachingDeny=7JT5nkT1IlS1G8jb&id=WIWMloFsX2SBmXHQ install-adobe-flash.com/a.php?cachingDeny=BMw4zEsf2zUDh554&id=WIWMloFsX2SBmXHQ install-adobe-flash.com/i.php?cachingDeny=L46S86d7S49YI1QX&id=WIWMloFsX2SBmXHQ install-adobe-flash.com/v.php?cachingDeny=tVRj436o397uJIw4&id=WIWMloFsX2SBmXHQ&ver=2&acc=12 install-adobe-flash.com/l.php?cashingDeny=S2Ua0lt0LZ47ck07&acc=12&id=WIWMloFsX2SBmXHQ /s.html?cachingDeny=Iu42gEHQO4g42103&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=gkww4GwP02xIL1Y7&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=2DY478jzYH9x0Q2w&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=953n1AVjZgzemRME&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=A4aj3k03rON9Vtg5&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=NqUe73vD2n1A7usj&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=ijvi1FHOsvO0pv2Q&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=uCX9F94y648XG1G4&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=12y5HZ96Tbym44Bv&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=81S0RjT4T94bZ7nL&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=P2T6S38Cuia011h2&id=tz1bu2J0xA10bn5S /s.html?cachingDeny=civ9UD3mu3OYaC58&id=tz1bu2J0xA10bn5S There's some annoyances in the use of .php and .html in the script names and the intermixed use of 'cachingDeny' and 'cashingDeny' as the parameter names as well as some requests with other parameters (and one that broke ordering of parameters) so I tried for the lowest common denominator. Improvements on this certainly welcome. Incidentally 2008756 looks like it picks up the 'Kvadrlson' user-agent that one or more variants of this use. -- Darren Spruell phatbuckett at gmail.com From evilghost at packetmail.net Thu Nov 5 20:09:19 2009 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Thu, 5 Nov 2009 19:09:19 -0600 Subject: [Emerging-Sigs] Dosenjo/Kvadr trojan proxy rule In-Reply-To: <839aec700911051654y29a0d3ccledc3efea0774eb85@mail.gmail.com> References: <839aec700911051654y29a0d3ccledc3efea0774eb85@mail.gmail.com> Message-ID: I like this, thanks for submitting. If we see false positives we can adjust the PCRE to OR on html or PHP. On Thu, 5 Nov 2009 17:54:31 -0700 Darren Spruell wrote > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; > uricontent:"hingDeny="; nocase; uricontent:"&id="; nocase; > pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/U"; > classtype:trojan-activity; > reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; > reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d5 > 58a934; > reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa2 > 4a35e7; > sid:XXXXXXX; rev:1;) > > Sandbox reports show a few variations of requests from different > versions or variants of this malware... > > http://anubis.iseclab.org/?action=result&task_id=146c30cf39d573eb431bba0f43b > a26c6e&format=html > http://www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 > http://www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 > > Sample requests/URIs: > > /reg.php?cashingDeny=zUBb961m7wCPf49I&id=jACMXa7Ai0nCF94y&ver=1&acc=12&dll=1 > /l.php?cashingDeny=sutEJNPLQnYUQ8dH&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=X > P > /l.php?cashingDeny=wz52w2l61uaPColQ&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=X > P > /l.php?cashingDeny=YY4022WP49rXOvaz&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=X > P > /l.php?cashingDeny=NIl0X1UyQJ5U5Dag&id=jACMXa7Ai0nCF94y&ver=1&acc=12&winver=X > P > > install-adobe-flash.com/s.html?cachingDeny=MDVbX4VWg55G75O7&id=WIWMloFsX2SBmX > HQ > install-adobe-flash.com/h.php?cachingDeny=ZfG30z4Nj2Ad6G1v&id=WIWMloFsX2SBmXH > Q&ip=&mode=undefined&dll=1 > install-adobe-flash.com/u.php?cashingDeny=H1wwZGHGgFdWvGAO&id=WIWMloFsX2SBmXH > Q&dll=1 > install-adobe-flash.com/s.html?cachingDeny=7JT5nkT1IlS1G8jb&id=WIWMloFsX2SBmX > HQ > install-adobe-flash.com/a.php?cachingDeny=BMw4zEsf2zUDh554&id=WIWMloFsX2SBmXH > Q > install-adobe-flash.com/i.php?cachingDeny=L46S86d7S49YI1QX&id=WIWMloFsX2SBmXH > Q > install-adobe-flash.com/v.php?cachingDeny=tVRj436o397uJIw4&id=WIWMloFsX2SBmXH > Q&ver=2&acc=12 > install-adobe-flash.com/l.php?cashingDeny=S2Ua0lt0LZ47ck07&acc=12&id=WIWMloFs > X2SBmXHQ > > /s.html?cachingDeny=Iu42gEHQO4g42103&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=gkww4GwP02xIL1Y7&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=2DY478jzYH9x0Q2w&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=953n1AVjZgzemRME&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=A4aj3k03rON9Vtg5&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=NqUe73vD2n1A7usj&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=ijvi1FHOsvO0pv2Q&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=uCX9F94y648XG1G4&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=12y5HZ96Tbym44Bv&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=81S0RjT4T94bZ7nL&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=P2T6S38Cuia011h2&id=tz1bu2J0xA10bn5S > /s.html?cachingDeny=civ9UD3mu3OYaC58&id=tz1bu2J0xA10bn5S > > There's some annoyances in the use of .php and .html in the script > names and the intermixed use of 'cachingDeny' and 'cashingDeny' as > the parameter names as well as some requests with other parameters > (and one that broke ordering of parameters) so I tried for the lowest > common denominator. Improvements on this certainly welcome. > > Incidentally 2008756 looks like it picks up the 'Kvadrlson' user-agent > that one or more variants of this use. > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From pepperjack at afferentsecurity.com Fri Nov 6 08:27:18 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 06 Nov 2009 07:27:18 -0600 Subject: [Emerging-Sigs] FTP Brute Force Message-ID: <20091106072718.gdwnpboxwks0w0o8@mail.afferentsecurity.com> Something new here. Logging in as user "NULL" . alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP User NULL Login Attempts"; flow:to_server,established; content:"USER NULL|0d0a|"; nocase; classtype:attempted-admin; sid:1003023; rev:1;) 03:13:16.235203 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 175:186(11) ack 442 win 49680 0x0000: 4500 0033 271b 4000 3106 2ac0 db92 084b E..3'. at .1.*....K 0x0010: 0a0b 0a02 7a10 0015 9ca7 051f 1422 43e5 ....z........"C. 0x0020: 5018 c210 1b86 0000 5553 4552 204e 554c P.......USER.NUL 0x0030: 4c0d 0a L.. 03:13:16.480780 00:22:19:ac:6e:40 > 00:22:83:93:f9:85, ethertype IPv4 (0x0800), length 84: 10.11.10.2.21 > 219.146.8.75.31248: P 475:505(30) ack 202 win 32667 0x0000: 4500 0046 3de3 4000 8006 c4e4 0a0b 0a02 E..F=. at ......... 0x0010: db92 084b 0015 7a10 1422 4406 9ca7 053a ...K..z.."D....: 0x0020: 5018 7f9b 754c 0000 3533 3020 5573 6572 P...uL..530.User 0x0030: 204e 554c 4c20 6361 6e6e 6f74 206c 6f67 .NULL.cannot.log 0x0040: 2069 6e2e 0d0a .in... 03:13:16.725299 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 202:213(11) ack 505 win 49680 0x0000: 4500 0033 271d 4000 3106 2abe db92 084b E..3'. at .1.*....K 0x0010: 0a0b 0a02 7a10 0015 9ca7 053a 1422 4424 ....z......:."D$ 0x0020: 5018 c210 1b2c 0000 5553 4552 204e 554c P....,..USER.NUL 0x0030: 4c0d 0a L.. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From kevross33 at googlemail.com Fri Nov 6 08:53:53 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 6 Nov 2009 13:53:53 +0000 Subject: [Emerging-Sigs] FTP Brute Force In-Reply-To: <20091106072718.gdwnpboxwks0w0o8@mail.afferentsecurity.com> References: <20091106072718.gdwnpboxwks0w0o8@mail.afferentsecurity.com> Message-ID: Can I recommend some depth on the check? Just for performance. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP User NULL Login Attempts"; flow:to_server,established; content:"USER NULL|0d0a|"; nocase; depth:11; classtype:attempted-admin; sid:1003023; rev:1;) Btw in case you don't use it BRO IDS provides excellent forensic ability into things like FTP (I always use it to back up what my snort sensors detect to find related connections, HTTP requests, what happened in that session and so on). Probably not so good in this case as login is failing but always nice. An example of an FTP session (with info removed) is below. Having summary logs like below for connections, HTTP, IRC, FTP etc is always quite useful and so BRO IDS I find is a useful tool to help me. 1256906063.176378 #1471 X.X.X.X/44362 > X.X.X.X/ftp start 1256906063.202866 #1471 response (220 XXXXXXX FTP server ready.) 1256906063.212579 #1471 USER XXXX (logged in) 1256906063.248044 #1471 CWD / (ok) 1256906063.258703 #1471 MKD XX (521 "/XX" directory exists) 1256906063.271356 #1471 CWD XX (ok) 1256906063.281270 #1471 MKD XXXXXX (521 "/XXX/XXXXX" directory exists) 1256906063.293113 #1471 CWD XXXXX (ok) 1256906063.303153 #1471 MKD XXXX (521 "/XXXX/XXXXX/IXXXX" directory exists) 1256906063.314332 #1471 CWD XXXX (ok) 1256906063.326868 #1471 MKD OUT (521 "/XXXX/XXXXX/XXXX/XXXX" directory exists) 1256906063.337836 #1471 CDUP (ok) 1256906063.348982 #1471 CDUP (ok) 1256906063.364658 #1471 CDUP (ok) 1256906063.375284 #1471 CWD /XXXX/XXX/XXXX/XXXX (ok) 1256906063.385953 #1471 TYPE I (ok) 1256906063.397753 #1471 PORT XXXXXXX (ok) 1256906063.408476 #1471 STOR XXXXXXX.tar (complete) 2009/11/6 Jack Pepper > Something new here. Logging in as user "NULL" . > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP User > NULL Login Attempts"; flow:to_server,established; content:"USER > NULL|0d0a|"; nocase; classtype:attempted-admin; sid:1003023; rev:1;) > > 03:13:16.235203 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 > (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 175:186(11) > ack 442 win 49680 > 0x0000: 4500 0033 271b 4000 3106 2ac0 db92 084b E..3'. at .1.*....K > 0x0010: 0a0b 0a02 7a10 0015 9ca7 051f 1422 43e5 ....z........"C. > 0x0020: 5018 c210 1b86 0000 5553 4552 204e 554c P.......USER.NUL > 0x0030: 4c0d 0a L.. > 03:13:16.480780 00:22:19:ac:6e:40 > 00:22:83:93:f9:85, ethertype IPv4 > (0x0800), length 84: 10.11.10.2.21 > 219.146.8.75.31248: P 475:505(30) > ack 202 win 32667 > 0x0000: 4500 0046 3de3 4000 8006 c4e4 0a0b 0a02 E..F=. at ......... > 0x0010: db92 084b 0015 7a10 1422 4406 9ca7 053a ...K..z.."D....: > 0x0020: 5018 7f9b 754c 0000 3533 3020 5573 6572 P...uL..530.User > 0x0030: 204e 554c 4c20 6361 6e6e 6f74 206c 6f67 .NULL.cannot.log > 0x0040: 2069 6e2e 0d0a .in... > 03:13:16.725299 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 > (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 202:213(11) > ack 505 win 49680 > 0x0000: 4500 0033 271d 4000 3106 2abe db92 084b E..3'. at .1.*....K > 0x0010: 0a0b 0a02 7a10 0015 9ca7 053a 1422 4424 ....z......:."D$ > 0x0020: 5018 c210 1b2c 0000 5553 4552 204e 554c P....,..USER.NUL > 0x0030: 4c0d 0a L.. > > jp > -- > > Framework? I don't need no stinking framework! > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091106/ca17ec13/attachment.html From kevross33 at googlemail.com Fri Nov 6 09:01:15 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 6 Nov 2009 14:01:15 +0000 Subject: [Emerging-Sigs] Rule Performance fix Message-ID: Brought this up but it might have gotten lost in other discussions. Mostly to avoid a PCRE check on every CLSID to try and match 3 possible CLSID values, so I thought it would be better split up to avoid this and provide a content match on each CLSID value. Kev # Performance Fix #Original Rule, I recommend this is split into 3 sigs so it is not applying a PCRE to every CLSID and ending up without a match: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; flow:established,from_server; content:"CLSID"; nocase; pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url, www.microsoft.com/technet/security/bulletin/ms06-021.mspx; classtype:web-application-attack; reference:url, doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:2002971; rev:68;) #Replacement Rules: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000003; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000004; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; classtype:attempted-user; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021; sid:19000005; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091106/03fb6122/attachment-0001.html From jonkman at jonkmans.com Fri Nov 6 11:17:48 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 06 Nov 2009 11:17:48 -0500 Subject: [Emerging-Sigs] Rule Performance fix In-Reply-To: References: Message-ID: <4AF44C2C.8010504@jonkmans.com> Good catch, fixed up! Matt Kevin Ross wrote: > Brought this up but it might have gotten lost in other discussions. > Mostly to avoid a PCRE check on every CLSID to try and match 3 possible > CLSID values, so I thought it would be better split up to avoid this and > provide a content match on each CLSID value. Kev > > # Performance Fix > #Original Rule, I recommend this is split into 3 sigs so it is not > applying a PCRE to every CLSID and ending up without a match: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption"; > flow:established,from_server; content:"CLSID"; nocase; > pcre:"/B4DC8DD9-2CC1-4081-9B2B-20D7030234EF|C63344D8-70D3-4032-9B32-7A3CAD5091A5|353359C1-39E1-491b-9951-464FD8AB071C/Ri"; > reference:cve,2006-1303; reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx > ; > classtype:web-application-attack; > reference:url,doc.emergingthreats.net/2002971 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 > ; > sid:2002971; rev:68;) > > #Replacement Rules: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 > Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; > content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx > ; > reference:url,doc.emergingthreats.net/2002971 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 > ; > sid:19000003; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 > Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; > content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx > ; > reference:url,doc.emergingthreats.net/2002971 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 > ; > sid:19000004; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 > Access Attempt"; flow:established,to_client; content:"CLSID"; nocase; > content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; distance:0; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; > classtype:attempted-user; reference:cve,2006-1303; > reference:bugtraq,18328; > reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx > ; > reference:url,doc.emergingthreats.net/2002971 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 > ; > sid:19000005; rev:1;) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From thierry.chich at ac-clermont.fr Fri Nov 6 12:30:57 2009 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Fri, 6 Nov 2009 18:30:57 +0100 Subject: [Emerging-Sigs] FTP Brute Force In-Reply-To: <20091106072718.gdwnpboxwks0w0o8@mail.afferentsecurity.com> References: <20091106072718.gdwnpboxwks0w0o8@mail.afferentsecurity.com> Message-ID: <200911061830.57916.thierry.chich@ac-clermont.fr> Le vendredi 6 novembre 2009, Jack Pepper a ?crit : > Something new here. Logging in as user "NULL" . > I can't understand what it means. Why NULL should be a more dangerous user than an other ? It doesn't seem more significant than ftp attempt with the user ftp or test, in my opinion. Or I don't know something (like a strange implantation of FTP server, for instance *), or it is one of the most stupid brute force I can think of. Thierry * Of course, I should have think that it should be a Windows implantation : Null user is used in IPC http://www.securityfocus.com/infocus/1352 > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP User > NULL Login Attempts"; flow:to_server,established; content:"USER > NULL|0d0a|"; nocase; classtype:attempted-admin; sid:1003023; rev:1;) > > 03:13:16.235203 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 > (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 175:186(11) > ack 442 win 49680 > 0x0000: 4500 0033 271b 4000 3106 2ac0 db92 084b E..3'. at .1.*....K > 0x0010: 0a0b 0a02 7a10 0015 9ca7 051f 1422 43e5 ....z........"C. > 0x0020: 5018 c210 1b86 0000 5553 4552 204e 554c P.......USER.NUL > 0x0030: 4c0d 0a L.. > 03:13:16.480780 00:22:19:ac:6e:40 > 00:22:83:93:f9:85, ethertype IPv4 > (0x0800), length 84: 10.11.10.2.21 > 219.146.8.75.31248: P 475:505(30) > ack 202 win 32667 > 0x0000: 4500 0046 3de3 4000 8006 c4e4 0a0b 0a02 E..F=. at ......... > 0x0010: db92 084b 0015 7a10 1422 4406 9ca7 053a ...K..z.."D....: > 0x0020: 5018 7f9b 754c 0000 3533 3020 5573 6572 P...uL..530.User > 0x0030: 204e 554c 4c20 6361 6e6e 6f74 206c 6f67 .NULL.cannot.log > 0x0040: 2069 6e2e 0d0a .in... > 03:13:16.725299 00:22:83:93:f9:85 > 00:22:19:ac:6e:40, ethertype IPv4 > (0x0800), length 65: 219.146.8.75.31248 > 10.11.10.2.21: P 202:213(11) > ack 505 win 49680 > 0x0000: 4500 0033 271d 4000 3106 2abe db92 084b E..3'. at .1.*....K > 0x0010: 0a0b 0a02 7a10 0015 9ca7 053a 1422 4424 ....z......:."D$ > 0x0020: 5018 c210 1b2c 0000 5553 4552 204e 554c P....,..USER.NUL > 0x0030: 4c0d 0a L.. > > jp > From kevross33 at googlemail.com Fri Nov 6 15:21:04 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 6 Nov 2009 20:21:04 +0000 Subject: [Emerging-Sigs] SIG:Apache mod_perl XSS Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross Site Scripting Attempt"; flow:from_server,established; uricontent:"|2F|perl|2D|status|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; sid:15000001; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091106/5ecc0a8a/attachment.html From emerging at emergingthreats.net Fri Nov 6 16:00:12 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 6 Nov 2009 16:00:12 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091106210012.DDC004502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Nov 6 16:00:12 2009 [***] [+++] Added rules: [+++] 2010249 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) (emerging-current_events.rules) 2010263 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt (emerging-web_client.rules) 2010264 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt (emerging-web_client.rules) [///] Modified active rules: [///] 2002971 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt (emerging-web_client.rules) [---] Removed rules: [---] 20102449 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) (emerging-current_events.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2002971 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2010249 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010263 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2010264 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 -> Added to emerging-sid-msg.map.txt (4): 2002971 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2010249 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010263 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2010264 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (26): 2002971 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 20102449 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on -> Removed from emerging-sid-msg.map.txt (26): 2002971 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 20102449 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on From emerging at emergingthreats.net Sat Nov 7 16:00:13 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 7 Nov 2009 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20091107210013.7E2524502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 7 16:00:13 2009 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (128): 2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (128): 2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Nov 7 18:00:13 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 7 Nov 2009 18:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20091107230013.6BEC04502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 7 18:00:13 2009 [***] [+++] Added rules: [+++] 2010221 - ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) (emerging-virus.rules) 2010222 - ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi (emerging-current_events.rules) 2010223 - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010224 - ET TROJAN Opachki Link Hijacker Traffic Redirection (emerging-virus.rules) 2010227 - ET WEB_CLIENT Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt (emerging-web_client.rules) 2010228 - ET POLICY Microsoft Windows 7 User-Agent detected (emerging-policy.rules) 2010229 - ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt (emerging-web_server.rules) 2010230 - ET TROJAN W32.Koblu (emerging-virus.rules) 2010231 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010232 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010233 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download (emerging-current_events.rules) 2010234 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010235 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010236 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010237 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010238 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010239 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post (emerging-current_events.rules) 2010240 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD (emerging-virus.rules) 2010241 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET (emerging-virus.rules) 2010242 - ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php (emerging-virus.rules) 2010243 - ET TROJAN Agent.END (emerging-virus.rules) 2010244 - ET TROJAN Obitel Downloader Request (emerging-virus.rules) 2010245 - ET WEB_CLIENT ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call (emerging-web_client.rules) 2010246 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in (emerging-virus.rules) 2010247 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST (emerging-virus.rules) 2010248 - ET TROJAN Eleonore Exploit Pack activity (emerging-virus.rules) 2010249 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) (emerging-current_events.rules) 2010250 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) (emerging-current_events.rules) 2010251 - ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) (emerging-current_events.rules) 2010252 - ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010253 - ET WEB_CLIENT EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt (emerging-web_client.rules) 2010254 - ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010255 - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion (emerging-web_specific_apps.rules) 2010256 - ET WEB_CLIENT Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access (emerging-web_client.rules) 2010257 - ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite Function Call (emerging-web_client.rules) 2010258 - ET WEB_CLIENT Installshiled 2009 premier ActiveX File Overwrite clsid Access (emerging-web_client.rules) 2010259 - ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010260 - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010261 - ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient (emerging-virus.rules) 2010262 - ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent (emerging-virus.rules) 2010263 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt (emerging-web_client.rules) 2010264 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt (emerging-web_client.rules) 2406958 - ET RBN Known Russian Business Network IP TCP (480) (emerging-rbn.rules) 2406959 - ET RBN Known Russian Business Network IP UDP (480) (emerging-rbn.rules) 2406960 - ET RBN Known Russian Business Network IP TCP (481) (emerging-rbn.rules) 2406961 - ET RBN Known Russian Business Network IP UDP (481) (emerging-rbn.rules) 2406962 - ET RBN Known Russian Business Network IP TCP (482) (emerging-rbn.rules) 2406963 - ET RBN Known Russian Business Network IP UDP (482) (emerging-rbn.rules) 2406964 - ET RBN Known Russian Business Network IP TCP (483) (emerging-rbn.rules) 2406965 - ET RBN Known Russian Business Network IP UDP (483) (emerging-rbn.rules) 2406966 - ET RBN Known Russian Business Network IP TCP (484) (emerging-rbn.rules) 2406967 - ET RBN Known Russian Business Network IP UDP (484) (emerging-rbn.rules) 2406968 - ET RBN Known Russian Business Network IP TCP (485) (emerging-rbn.rules) 2406969 - ET RBN Known Russian Business Network IP UDP (485) (emerging-rbn.rules) 2407958 - ET RBN Known Russian Business Network IP TCP - BLOCKING (480) (emerging-rbn-BLOCK.rules) 2407959 - ET RBN Known Russian Business Network IP UDP - BLOCKING (480) (emerging-rbn-BLOCK.rules) 2407960 - ET RBN Known Russian Business Network IP TCP - BLOCKING (481) (emerging-rbn-BLOCK.rules) 2407961 - ET RBN Known Russian Business Network IP UDP - BLOCKING (481) (emerging-rbn-BLOCK.rules) 2407962 - ET RBN Known Russian Business Network IP TCP - BLOCKING (482) (emerging-rbn-BLOCK.rules) 2407963 - ET RBN Known Russian Business Network IP UDP - BLOCKING (482) (emerging-rbn-BLOCK.rules) 2407964 - ET RBN Known Russian Business Network IP TCP - BLOCKING (483) (emerging-rbn-BLOCK.rules) 2407965 - ET RBN Known Russian Business Network IP UDP - BLOCKING (483) (emerging-rbn-BLOCK.rules) 2407966 - ET RBN Known Russian Business Network IP TCP - BLOCKING (484) (emerging-rbn-BLOCK.rules) 2407967 - ET RBN Known Russian Business Network IP UDP - BLOCKING (484) (emerging-rbn-BLOCK.rules) 2407968 - ET RBN Known Russian Business Network IP TCP - BLOCKING (485) (emerging-rbn-BLOCK.rules) 2407969 - ET RBN Known Russian Business Network IP UDP - BLOCKING (485) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002971 - ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt (emerging-web_client.rules) 2008127 - ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods (emerging-web_client.rules) 2008450 - ET TROJAN Donbot Connect to CnC (emerging-virus.rules) 2008451 - ET TROJAN Donbot Report to CnC (emerging-virus.rules) 2008737 - ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin (emerging-virus.rules) 2008738 - ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related (emerging-virus.rules) 2008739 - ET TROJAN Conficker/MS08-067 Worm Traffic Outbound (emerging-virus.rules) 2009702 - ET POLICY DNS Update From External net (emerging-policy.rules) 2009923 - ET WEB_CLIENT ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt (emerging-web_client.rules) 2010100 - ET TROJAN Palevo/BFBot/Mariposa client join attempt (emerging-virus.rules) 2010101 - ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement (emerging-virus.rules) 2010121 - ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection (emerging-web_specific_apps.rules) 2010122 - ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection (emerging-web_specific_apps.rules) 2010123 - ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010124 - ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010125 - ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010126 - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010127 - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion (emerging-web_specific_apps.rules) 2010129 - ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) (emerging-user_agents.rules) 2010130 - ET USER_AGENTS Suspicious HTTP Request with empty User Agent (emerging-user_agents.rules) 2010131 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010132 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010133 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010134 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010135 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010136 - ET USER_AGENTS Suspicious User-Agent (asp2009) (emerging-user_agents.rules) 2010137 - ET USER_AGENTS Suspicious User-Agent (Sme32) (emerging-user_agents.rules) 2010138 - ET TROJAN Possible Win32/Agent.QBY CnC Post (emerging-virus.rules) 2010139 - ET P2P Vuze BT Connection (emerging-p2p.rules) 2010140 - ET P2P Vuze BT UDP Connection (emerging-p2p.rules) 2010141 - ET P2P Vuze BT UDP Connection (2) (emerging-p2p.rules) 2010142 - ET P2P Vuze BT UDP Connection (3) (emerging-p2p.rules) 2010143 - ET P2P Vuze BT UDP Connection (4) (emerging-p2p.rules) 2010144 - ET P2P Vuze BT UDP Connection (5) (emerging-p2p.rules) 2010145 - ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010146 - ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010147 - ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010148 - ET CURRENT_EVENTS DHL Spam Inbound (emerging-current_events.rules) 2010149 - ET TROJAN Koobface HTTP Request (emerging-virus.rules) 2010150 - ET TROJAN Koobface HTTP Request (2) (emerging-virus.rules) 2010151 - ET TROJAN Koobface C&C availability check (emerging-virus.rules) 2010152 - ET TROJAN Koobface C&C availability check successful (emerging-virus.rules) 2010153 - ET TROJAN Koobface fetch C&C command detected (emerging-virus.rules) 2010154 - ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt (emerging-web_client.rules) 2010155 - ET WEB_CLIENT ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt (emerging-web_client.rules) 2010156 - ET GAMES Alien Arena 7.30 Remote Code Execution Attempt (emerging-game.rules) 2010157 - ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) (emerging-user_agents.rules) 2010158 - ET TROJAN Nanspy Bot Checkin (emerging-virus.rules) 2010159 - ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt (emerging-web_server.rules) 2010160 - ET WEB_CLIENT ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt (emerging-web_client.rules) 2010161 - ET WEB_CLIENT ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt (emerging-web_client.rules) 2010162 - ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt (emerging-web_server.rules) 2010163 - ET TROJAN Glacial Dracon C&C Communication (emerging-virus.rules) 2010164 - ET TROJAN Daonol C&C Communication (emerging-virus.rules) 2010165 - ET TROJAN Tibs/Harnig Downloader Activity (emerging-virus.rules) 2010166 - ET CURRENT_EVENTS Facebook Spam Inbound (emerging-current_events.rules) 2010167 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt (emerging-web_specific_apps.rules) 2010168 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010169 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010170 - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010171 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010172 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010173 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010174 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt (emerging-web_specific_apps.rules) 2010175 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt (emerging-web_specific_apps.rules) 2010176 - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt (emerging-web_specific_apps.rules) 2010177 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt (emerging-web_specific_apps.rules) 2010178 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt (emerging-web_specific_apps.rules) 2010179 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt (emerging-web_specific_apps.rules) 2010180 - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt (emerging-web_specific_apps.rules) 2010181 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010182 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010183 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010184 - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010185 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010186 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010187 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010188 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010189 - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010190 - ET WEB_CLIENT ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call (emerging-web_client.rules) 2010191 - ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010192 - ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010193 - ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010194 - ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal (emerging-web_specific_apps.rules) 2010195 - ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection (emerging-web_specific_apps.rules) 2010196 - ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection (emerging-web_specific_apps.rules) 2010197 - ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010198 - ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion (emerging-web_specific_apps.rules) 2010199 - ET WEB_SPECIFIC_APPS Symantec AppStream LaunchObj ActiveX arbitrary code download and execution (emerging-web_specific_apps.rules) 2010200 - ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010201 - ET TROJAN Silon Encrypted Data POST to C&C (emerging-virus.rules) 2010202 - ET WEB_CLIENT Possible Google Chrome chrome //history/ URI Cross-Site Scripting Attempt (emerging-web_client.rules) 2010203 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt (emerging-web_client.rules) 2010204 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt (emerging-web_client.rules) 2010205 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt (emerging-web_client.rules) 2010206 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt (emerging-web_client.rules) 2010207 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt (emerging-web_client.rules) 2010208 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt (emerging-web_client.rules) 2010209 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt (emerging-web_client.rules) 2010210 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt (emerging-web_client.rules) 2010211 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt (emerging-web_client.rules) 2010212 - ET WEB_CLIENT ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt (emerging-web_client.rules) 2010214 - ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (emerging-scan.rules) 2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin (emerging-virus.rules) 2010218 - ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro) (emerging-user_agents.rules) 2010219 - ET WEB_CLIENT ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt (emerging-web_client.rules) 2010220 - ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE) (emerging-user_agents.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic (group 22) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic (group 23) (emerging-botcc.rules) 2404023 - ET DROP Known Bot C&C Server Traffic (group 24) (emerging-botcc.rules) 2404024 - ET DROP Known Bot C&C Server Traffic (group 25) (emerging-botcc.rules) 2404025 - ET DROP Known Bot C&C Server Traffic (group 26) (emerging-botcc.rules) 2404026 - ET DROP Known Bot C&C Server Traffic (group 27) (emerging-botcc.rules) 2404027 - ET DROP Known Bot C&C Server Traffic (group 28) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405024 - ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405025 - ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405026 - ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405027 - ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network IP TCP (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network IP UDP (1) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network IP TCP (2) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network IP UDP (2) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network IP TCP (3) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network IP UDP (3) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network IP TCP (4) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network IP UDP (4) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network IP TCP (5) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network IP UDP (5) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network IP TCP (6) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network IP UDP (6) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network IP TCP (7) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network IP UDP (7) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network IP TCP (8) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network IP UDP (8) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network IP TCP (9) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network IP UDP (9) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network IP TCP (10) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network IP UDP (10) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network IP TCP (11) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network IP UDP (11) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network IP TCP (12) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network IP UDP (12) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network IP TCP (13) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network IP UDP (13) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network IP TCP (14) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network IP UDP (14) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network IP TCP (15) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network IP UDP (15) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network IP TCP (16) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network IP UDP (16) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network IP TCP (17) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network IP UDP (17) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network IP TCP (18) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network IP UDP (18) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network IP TCP (19) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network IP UDP (19) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network IP TCP (20) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network IP UDP (20) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network IP TCP (21) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network IP UDP (21) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network IP TCP (22) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network IP UDP (22) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network IP TCP (23) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network IP UDP (23) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network IP TCP (24) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network IP UDP (24) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network IP TCP (25) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network IP UDP (25) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network IP TCP (26) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network IP UDP (26) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network IP TCP (27) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network IP UDP (27) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network IP TCP (28) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network IP UDP (28) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network IP TCP (29) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network IP UDP (29) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network IP TCP (30) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network IP UDP (30) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network IP TCP (31) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network IP UDP (31) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network IP TCP (32) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network IP UDP (32) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network IP TCP (33) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network IP UDP (33) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network IP TCP (34) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network IP UDP (34) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network IP TCP (35) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network IP UDP (35) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network IP TCP (36) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network IP UDP (36) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network IP TCP (37) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network IP UDP (37) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network IP TCP (38) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network IP UDP (38) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network IP TCP (39) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network IP UDP (39) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network IP TCP (40) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network IP UDP (40) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network IP TCP (41) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network IP UDP (41) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network IP TCP (42) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network IP UDP (42) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network IP TCP (43) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network IP UDP (43) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network IP TCP (44) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network IP UDP (44) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network IP TCP (45) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network IP UDP (45) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network IP TCP (46) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network IP UDP (46) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network IP TCP (47) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network IP UDP (47) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network IP TCP (48) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network IP UDP (48) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network IP TCP (49) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network IP UDP (49) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network IP TCP (50) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network IP UDP (50) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network IP TCP (51) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network IP UDP (51) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network IP TCP (52) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network IP UDP (52) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network IP TCP (53) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network IP UDP (53) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network IP TCP (54) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network IP UDP (54) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network IP TCP (55) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network IP UDP (55) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network IP TCP (56) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network IP UDP (56) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network IP TCP (57) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network IP UDP (57) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network IP TCP (58) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network IP UDP (58) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network IP TCP (59) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network IP UDP (59) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network IP TCP (60) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network IP UDP (60) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network IP TCP (61) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network IP UDP (61) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network IP TCP (62) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network IP UDP (62) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network IP TCP (63) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network IP UDP (63) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network IP TCP (64) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network IP UDP (64) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network IP TCP (65) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network IP UDP (65) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network IP TCP (66) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network IP UDP (66) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network IP TCP (67) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network IP UDP (67) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network IP TCP (68) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network IP UDP (68) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network IP TCP (69) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network IP UDP (69) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network IP TCP (70) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network IP UDP (70) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network IP TCP (71) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network IP UDP (71) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network IP TCP (72) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network IP UDP (72) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network IP TCP (73) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network IP UDP (73) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network IP TCP (74) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network IP UDP (74) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network IP TCP (75) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network IP UDP (75) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network IP TCP (76) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network IP UDP (76) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network IP TCP (77) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network IP UDP (77) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network IP TCP (78) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network IP UDP (78) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network IP TCP (79) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network IP UDP (79) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network IP TCP (80) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network IP UDP (80) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network IP TCP (81) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network IP UDP (81) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network IP TCP (82) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network IP UDP (82) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network IP TCP (83) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network IP UDP (83) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network IP TCP (84) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network IP UDP (84) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network IP TCP (85) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network IP UDP (85) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network IP TCP (86) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network IP UDP (86) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network IP TCP (87) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network IP UDP (87) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network IP TCP (88) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network IP UDP (88) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network IP TCP (89) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network IP UDP (89) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network IP TCP (90) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network IP UDP (90) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network IP TCP (91) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network IP UDP (91) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network IP TCP (92) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network IP UDP (92) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network IP TCP (93) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network IP UDP (93) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network IP TCP (94) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network IP UDP (94) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network IP TCP (95) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network IP UDP (95) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network IP TCP (96) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network IP UDP (96) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network IP TCP (97) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network IP UDP (97) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network IP TCP (98) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network IP UDP (98) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network IP TCP (99) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network IP UDP (99) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network IP TCP (100) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network IP UDP (100) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network IP TCP (101) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network IP UDP (101) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network IP TCP (102) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network IP UDP (102) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network IP TCP (103) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network IP UDP (103) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network IP TCP (104) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network IP UDP (104) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network IP TCP (105) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network IP UDP (105) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network IP TCP (106) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network IP UDP (106) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network IP TCP (107) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network IP UDP (107) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network IP TCP (108) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network IP UDP (108) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network IP TCP (109) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network IP UDP (109) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network IP TCP (110) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network IP UDP (110) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network IP TCP (111) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network IP UDP (111) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network IP TCP (112) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network IP UDP (112) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network IP TCP (113) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network IP UDP (113) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network IP TCP (114) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network IP UDP (114) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network IP TCP (115) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network IP UDP (115) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network IP TCP (116) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network IP UDP (116) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network IP TCP (117) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network IP UDP (117) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network IP TCP (118) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network IP UDP (118) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network IP TCP (119) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network IP UDP (119) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network IP TCP (120) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network IP UDP (120) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network IP TCP (121) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network IP UDP (121) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network IP TCP (122) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network IP UDP (122) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network IP TCP (123) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network IP UDP (123) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network IP TCP (124) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network IP UDP (124) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network IP TCP (125) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network IP UDP (125) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network IP TCP (126) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network IP UDP (126) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network IP TCP (127) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network IP UDP (127) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network IP TCP (128) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network IP UDP (128) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network IP TCP (129) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network IP UDP (129) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network IP TCP (130) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network IP UDP (130) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network IP TCP (131) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network IP UDP (131) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network IP TCP (132) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network IP UDP (132) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network IP TCP (133) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network IP UDP (133) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network IP TCP (134) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network IP UDP (134) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network IP TCP (135) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network IP UDP (135) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network IP TCP (136) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network IP UDP (136) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network IP TCP (137) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network IP UDP (137) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network IP TCP (138) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network IP UDP (138) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network IP TCP (139) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network IP UDP (139) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network IP TCP (140) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network IP UDP (140) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network IP TCP (141) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network IP UDP (141) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network IP TCP (142) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network IP UDP (142) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network IP TCP (143) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network IP UDP (143) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network IP TCP (144) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network IP UDP (144) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network IP TCP (145) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network IP UDP (145) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network IP TCP (146) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network IP UDP (146) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network IP TCP (147) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network IP UDP (147) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network IP TCP (148) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network IP UDP (148) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network IP TCP (149) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network IP UDP (149) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network IP TCP (150) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network IP UDP (150) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network IP TCP (151) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network IP UDP (151) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network IP TCP (152) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network IP UDP (152) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network IP TCP (153) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network IP UDP (153) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network IP TCP (154) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network IP UDP (154) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network IP TCP (155) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network IP UDP (155) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network IP TCP (156) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network IP UDP (156) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network IP TCP (157) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network IP UDP (157) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network IP TCP (158) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network IP UDP (158) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network IP TCP (159) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network IP UDP (159) (emerging-rbn.rules) 2406318 - ET RBN Known Russian Business Network IP TCP (160) (emerging-rbn.rules) 2406319 - ET RBN Known Russian Business Network IP UDP (160) (emerging-rbn.rules) 2406320 - ET RBN Known Russian Business Network IP TCP (161) (emerging-rbn.rules) 2406321 - ET RBN Known Russian Business Network IP UDP (161) (emerging-rbn.rules) 2406322 - ET RBN Known Russian Business Network IP TCP (162) (emerging-rbn.rules) 2406323 - ET RBN Known Russian Business Network IP UDP (162) (emerging-rbn.rules) 2406324 - ET RBN Known Russian Business Network IP TCP (163) (emerging-rbn.rules) 2406325 - ET RBN Known Russian Business Network IP UDP (163) (emerging-rbn.rules) 2406326 - ET RBN Known Russian Business Network IP TCP (164) (emerging-rbn.rules) 2406327 - ET RBN Known Russian Business Network IP UDP (164) (emerging-rbn.rules) 2406328 - ET RBN Known Russian Business Network IP TCP (165) (emerging-rbn.rules) 2406329 - ET RBN Known Russian Business Network IP UDP (165) (emerging-rbn.rules) 2406330 - ET RBN Known Russian Business Network IP TCP (166) (emerging-rbn.rules) 2406331 - ET RBN Known Russian Business Network IP UDP (166) (emerging-rbn.rules) 2406332 - ET RBN Known Russian Business Network IP TCP (167) (emerging-rbn.rules) 2406333 - ET RBN Known Russian Business Network IP UDP (167) (emerging-rbn.rules) 2406334 - ET RBN Known Russian Business Network IP TCP (168) (emerging-rbn.rules) 2406335 - ET RBN Known Russian Business Network IP UDP (168) (emerging-rbn.rules) 2406336 - ET RBN Known Russian Business Network IP TCP (169) (emerging-rbn.rules) 2406337 - ET RBN Known Russian Business Network IP UDP (169) (emerging-rbn.rules) 2406338 - ET RBN Known Russian Business Network IP TCP (170) (emerging-rbn.rules) 2406339 - ET RBN Known Russian Business Network IP UDP (170) (emerging-rbn.rules) 2406340 - ET RBN Known Russian Business Network IP TCP (171) (emerging-rbn.rules) 2406341 - ET RBN Known Russian Business Network IP UDP (171) (emerging-rbn.rules) 2406342 - ET RBN Known Russian Business Network IP TCP (172) (emerging-rbn.rules) 2406343 - ET RBN Known Russian Business Network IP UDP (172) (emerging-rbn.rules) 2406344 - ET RBN Known Russian Business Network IP TCP (173) (emerging-rbn.rules) 2406345 - ET RBN Known Russian Business Network IP UDP (173) (emerging-rbn.rules) 2406346 - ET RBN Known Russian Business Network IP TCP (174) (emerging-rbn.rules) 2406347 - ET RBN Known Russian Business Network IP UDP (174) (emerging-rbn.rules) 2406348 - ET RBN Known Russian Business Network IP TCP (175) (emerging-rbn.rules) 2406349 - ET RBN Known Russian Business Network IP UDP (175) (emerging-rbn.rules) 2406350 - ET RBN Known Russian Business Network IP TCP (176) (emerging-rbn.rules) 2406351 - ET RBN Known Russian Business Network IP UDP (176) (emerging-rbn.rules) 2406352 - ET RBN Known Russian Business Network IP TCP (177) (emerging-rbn.rules) 2406353 - ET RBN Known Russian Business Network IP UDP (177) (emerging-rbn.rules) 2406354 - ET RBN Known Russian Business Network IP TCP (178) (emerging-rbn.rules) 2406355 - ET RBN Known Russian Business Network IP UDP (178) (emerging-rbn.rules) 2406356 - ET RBN Known Russian Business Network IP TCP (179) (emerging-rbn.rules) 2406357 - ET RBN Known Russian Business Network IP UDP (179) (emerging-rbn.rules) 2406358 - ET RBN Known Russian Business Network IP TCP (180) (emerging-rbn.rules) 2406359 - ET RBN Known Russian Business Network IP UDP (180) (emerging-rbn.rules) 2406360 - ET RBN Known Russian Business Network IP TCP (181) (emerging-rbn.rules) 2406361 - ET RBN Known Russian Business Network IP UDP (181) (emerging-rbn.rules) 2406362 - ET RBN Known Russian Business Network IP TCP (182) (emerging-rbn.rules) 2406363 - ET RBN Known Russian Business Network IP UDP (182) (emerging-rbn.rules) 2406364 - ET RBN Known Russian Business Network IP TCP (183) (emerging-rbn.rules) 2406365 - ET RBN Known Russian Business Network IP UDP (183) (emerging-rbn.rules) 2406366 - ET RBN Known Russian Business Network IP TCP (184) (emerging-rbn.rules) 2406367 - ET RBN Known Russian Business Network IP UDP (184) (emerging-rbn.rules) 2406368 - ET RBN Known Russian Business Network IP TCP (185) (emerging-rbn.rules) 2406369 - ET RBN Known Russian Business Network IP UDP (185) (emerging-rbn.rules) 2406370 - ET RBN Known Russian Business Network IP TCP (186) (emerging-rbn.rules) 2406371 - ET RBN Known Russian Business Network IP UDP (186) (emerging-rbn.rules) 2406372 - ET RBN Known Russian Business Network IP TCP (187) (emerging-rbn.rules) 2406373 - ET RBN Known Russian Business Network IP UDP (187) (emerging-rbn.rules) 2406374 - ET RBN Known Russian Business Network IP TCP (188) (emerging-rbn.rules) 2406375 - ET RBN Known Russian Business Network IP UDP (188) (emerging-rbn.rules) 2406376 - ET RBN Known Russian Business Network IP TCP (189) (emerging-rbn.rules) 2406377 - ET RBN Known Russian Business Network IP UDP (189) (emerging-rbn.rules) 2406378 - ET RBN Known Russian Business Network IP TCP (190) (emerging-rbn.rules) 2406379 - ET RBN Known Russian Business Network IP UDP (190) (emerging-rbn.rules) 2406380 - ET RBN Known Russian Business Network IP TCP (191) (emerging-rbn.rules) 2406381 - ET RBN Known Russian Business Network IP UDP (191) (emerging-rbn.rules) 2406382 - ET RBN Known Russian Business Network IP TCP (192) (emerging-rbn.rules) 2406383 - ET RBN Known Russian Business Network IP UDP (192) (emerging-rbn.rules) 2406384 - ET RBN Known Russian Business Network IP TCP (193) (emerging-rbn.rules) 2406385 - ET RBN Known Russian Business Network IP UDP (193) (emerging-rbn.rules) 2406386 - ET RBN Known Russian Business Network IP TCP (194) (emerging-rbn.rules) 2406387 - ET RBN Known Russian Business Network IP UDP (194) (emerging-rbn.rules) 2406388 - ET RBN Known Russian Business Network IP TCP (195) (emerging-rbn.rules) 2406389 - ET RBN Known Russian Business Network IP UDP (195) (emerging-rbn.rules) 2406390 - ET RBN Known Russian Business Network IP TCP (196) (emerging-rbn.rules) 2406391 - ET RBN Known Russian Business Network IP UDP (196) (emerging-rbn.rules) 2406392 - ET RBN Known Russian Business Network IP TCP (197) (emerging-rbn.rules) 2406393 - ET RBN Known Russian Business Network IP UDP (197) (emerging-rbn.rules) 2406394 - ET RBN Known Russian Business Network IP TCP (198) (emerging-rbn.rules) 2406395 - ET RBN Known Russian Business Network IP UDP (198) (emerging-rbn.rules) 2406396 - ET RBN Known Russian Business Network IP TCP (199) (emerging-rbn.rules) 2406397 - ET RBN Known Russian Business Network IP UDP (199) (emerging-rbn.rules) 2406398 - ET RBN Known Russian Business Network IP TCP (200) (emerging-rbn.rules) 2406399 - ET RBN Known Russian Business Network IP UDP (200) (emerging-rbn.rules) 2406400 - ET RBN Known Russian Business Network IP TCP (201) (emerging-rbn.rules) 2406401 - ET RBN Known Russian Business Network IP UDP (201) (emerging-rbn.rules) 2406402 - ET RBN Known Russian Business Network IP TCP (202) (emerging-rbn.rules) 2406403 - ET RBN Known Russian Business Network IP UDP (202) (emerging-rbn.rules) 2406404 - ET RBN Known Russian Business Network IP TCP (203) (emerging-rbn.rules) 2406405 - ET RBN Known Russian Business Network IP UDP (203) (emerging-rbn.rules) 2406406 - ET RBN Known Russian Business Network IP TCP (204) (emerging-rbn.rules) 2406407 - ET RBN Known Russian Business Network IP UDP (204) (emerging-rbn.rules) 2406408 - ET RBN Known Russian Business Network IP TCP (205) (emerging-rbn.rules) 2406409 - ET RBN Known Russian Business Network IP UDP (205) (emerging-rbn.rules) 2406410 - ET RBN Known Russian Business Network IP TCP (206) (emerging-rbn.rules) 2406411 - ET RBN Known Russian Business Network IP UDP (206) (emerging-rbn.rules) 2406412 - ET RBN Known Russian Business Network IP TCP (207) (emerging-rbn.rules) 2406413 - ET RBN Known Russian Business Network IP UDP (207) (emerging-rbn.rules) 2406414 - ET RBN Known Russian Business Network IP TCP (208) (emerging-rbn.rules) 2406415 - ET RBN Known Russian Business Network IP UDP (208) (emerging-rbn.rules) 2406416 - ET RBN Known Russian Business Network IP TCP (209) (emerging-rbn.rules) 2406417 - ET RBN Known Russian Business Network IP UDP (209) (emerging-rbn.rules) 2406418 - ET RBN Known Russian Business Network IP TCP (210) (emerging-rbn.rules) 2406419 - ET RBN Known Russian Business Network IP UDP (210) (emerging-rbn.rules) 2406420 - ET RBN Known Russian Business Network IP TCP (211) (emerging-rbn.rules) 2406421 - ET RBN Known Russian Business Network IP UDP (211) (emerging-rbn.rules) 2406422 - ET RBN Known Russian Business Network IP TCP (212) (emerging-rbn.rules) 2406423 - ET RBN Known Russian Business Network IP UDP (212) (emerging-rbn.rules) 2406424 - ET RBN Known Russian Business Network IP TCP (213) (emerging-rbn.rules) 2406425 - ET RBN Known Russian Business Network IP UDP (213) (emerging-rbn.rules) 2406426 - ET RBN Known Russian Business Network IP TCP (214) (emerging-rbn.rules) 2406427 - ET RBN Known Russian Business Network IP UDP (214) (emerging-rbn.rules) 2406428 - ET RBN Known Russian Business Network IP TCP (215) (emerging-rbn.rules) 2406429 - ET RBN Known Russian Business Network IP UDP (215) (emerging-rbn.rules) 2406430 - ET RBN Known Russian Business Network IP TCP (216) (emerging-rbn.rules) 2406431 - ET RBN Known Russian Business Network IP UDP (216) (emerging-rbn.rules) 2406432 - ET RBN Known Russian Business Network IP TCP (217) (emerging-rbn.rules) 2406433 - ET RBN Known Russian Business Network IP UDP (217) (emerging-rbn.rules) 2406434 - ET RBN Known Russian Business Network IP TCP (218) (emerging-rbn.rules) 2406435 - ET RBN Known Russian Business Network IP UDP (218) (emerging-rbn.rules) 2406436 - ET RBN Known Russian Business Network IP TCP (219) (emerging-rbn.rules) 2406437 - ET RBN Known Russian Business Network IP UDP (219) (emerging-rbn.rules) 2406438 - ET RBN Known Russian Business Network IP TCP (220) (emerging-rbn.rules) 2406439 - ET RBN Known Russian Business Network IP UDP (220) (emerging-rbn.rules) 2406440 - ET RBN Known Russian Business Network IP TCP (221) (emerging-rbn.rules) 2406441 - ET RBN Known Russian Business Network IP UDP (221) (emerging-rbn.rules) 2406442 - ET RBN Known Russian Business Network IP TCP (222) (emerging-rbn.rules) 2406443 - ET RBN Known Russian Business Network IP UDP (222) (emerging-rbn.rules) 2406444 - ET RBN Known Russian Business Network IP TCP (223) (emerging-rbn.rules) 2406445 - ET RBN Known Russian Business Network IP UDP (223) (emerging-rbn.rules) 2406446 - ET RBN Known Russian Business Network IP TCP (224) (emerging-rbn.rules) 2406447 - ET RBN Known Russian Business Network IP UDP (224) (emerging-rbn.rules) 2406448 - ET RBN Known Russian Business Network IP TCP (225) (emerging-rbn.rules) 2406449 - ET RBN Known Russian Business Network IP UDP (225) (emerging-rbn.rules) 2406450 - ET RBN Known Russian Business Network IP TCP (226) (emerging-rbn.rules) 2406451 - ET RBN Known Russian Business Network IP UDP (226) (emerging-rbn.rules) 2406452 - ET RBN Known Russian Business Network IP TCP (227) (emerging-rbn.rules) 2406453 - ET RBN Known Russian Business Network IP UDP (227) (emerging-rbn.rules) 2406454 - ET RBN Known Russian Business Network IP TCP (228) (emerging-rbn.rules) 2406455 - ET RBN Known Russian Business Network IP UDP (228) (emerging-rbn.rules) 2406456 - ET RBN Known Russian Business Network IP TCP (229) (emerging-rbn.rules) 2406457 - ET RBN Known Russian Business Network IP UDP (229) (emerging-rbn.rules) 2406458 - ET RBN Known Russian Business Network IP TCP (230) (emerging-rbn.rules) 2406459 - ET RBN Known Russian Business Network IP UDP (230) (emerging-rbn.rules) 2406460 - ET RBN Known Russian Business Network IP TCP (231) (emerging-rbn.rules) 2406461 - ET RBN Known Russian Business Network IP UDP (231) (emerging-rbn.rules) 2406462 - ET RBN Known Russian Business Network IP TCP (232) (emerging-rbn.rules) 2406463 - ET RBN Known Russian Business Network IP UDP (232) (emerging-rbn.rules) 2406464 - ET RBN Known Russian Business Network IP TCP (233) (emerging-rbn.rules) 2406465 - ET RBN Known Russian Business Network IP UDP (233) (emerging-rbn.rules) 2406466 - ET RBN Known Russian Business Network IP TCP (234) (emerging-rbn.rules) 2406467 - ET RBN Known Russian Business Network IP UDP (234) (emerging-rbn.rules) 2406468 - ET RBN Known Russian Business Network IP TCP (235) (emerging-rbn.rules) 2406469 - ET RBN Known Russian Business Network IP UDP (235) (emerging-rbn.rules) 2406470 - ET RBN Known Russian Business Network IP TCP (236) (emerging-rbn.rules) 2406471 - ET RBN Known Russian Business Network IP UDP (236) (emerging-rbn.rules) 2406472 - ET RBN Known Russian Business Network IP TCP (237) (emerging-rbn.rules) 2406473 - ET RBN Known Russian Business Network IP UDP (237) (emerging-rbn.rules) 2406474 - ET RBN Known Russian Business Network IP TCP (238) (emerging-rbn.rules) 2406475 - ET RBN Known Russian Business Network IP UDP (238) (emerging-rbn.rules) 2406476 - ET RBN Known Russian Business Network IP TCP (239) (emerging-rbn.rules) 2406477 - ET RBN Known Russian Business Network IP UDP (239) (emerging-rbn.rules) 2406478 - ET RBN Known Russian Business Network IP TCP (240) (emerging-rbn.rules) 2406479 - ET RBN Known Russian Business Network IP UDP (240) (emerging-rbn.rules) 2406480 - ET RBN Known Russian Business Network IP TCP (241) (emerging-rbn.rules) 2406481 - ET RBN Known Russian Business Network IP UDP (241) (emerging-rbn.rules) 2406482 - ET RBN Known Russian Business Network IP TCP (242) (emerging-rbn.rules) 2406483 - ET RBN Known Russian Business Network IP UDP (242) (emerging-rbn.rules) 2406484 - ET RBN Known Russian Business Network IP TCP (243) (emerging-rbn.rules) 2406485 - ET RBN Known Russian Business Network IP UDP (243) (emerging-rbn.rules) 2406486 - ET RBN Known Russian Business Network IP TCP (244) (emerging-rbn.rules) 2406487 - ET RBN Known Russian Business Network IP UDP (244) (emerging-rbn.rules) 2406488 - ET RBN Known Russian Business Network IP TCP (245) (emerging-rbn.rules) 2406489 - ET RBN Known Russian Business Network IP UDP (245) (emerging-rbn.rules) 2406490 - ET RBN Known Russian Business Network IP TCP (246) (emerging-rbn.rules) 2406491 - ET RBN Known Russian Business Network IP UDP (246) (emerging-rbn.rules) 2406492 - ET RBN Known Russian Business Network IP TCP (247) (emerging-rbn.rules) 2406493 - ET RBN Known Russian Business Network IP UDP (247) (emerging-rbn.rules) 2406494 - ET RBN Known Russian Business Network IP TCP (248) (emerging-rbn.rules) 2406495 - ET RBN Known Russian Business Network IP UDP (248) (emerging-rbn.rules) 2406496 - ET RBN Known Russian Business Network IP TCP (249) (emerging-rbn.rules) 2406497 - ET RBN Known Russian Business Network IP UDP (249) (emerging-rbn.rules) 2406498 - ET RBN Known Russian Business Network IP TCP (250) (emerging-rbn.rules) 2406499 - ET RBN Known Russian Business Network IP UDP (250) (emerging-rbn.rules) 2406500 - ET RBN Known Russian Business Network IP TCP (251) (emerging-rbn.rules) 2406501 - ET RBN Known Russian Business Network IP UDP (251) (emerging-rbn.rules) 2406502 - ET RBN Known Russian Business Network IP TCP (252) (emerging-rbn.rules) 2406503 - ET RBN Known Russian Business Network IP UDP (252) (emerging-rbn.rules) 2406504 - ET RBN Known Russian Business Network IP TCP (253) (emerging-rbn.rules) 2406505 - ET RBN Known Russian Business Network IP UDP (253) (emerging-rbn.rules) 2406506 - ET RBN Known Russian Business Network IP TCP (254) (emerging-rbn.rules) 2406507 - ET RBN Known Russian Business Network IP UDP (254) (emerging-rbn.rules) 2406508 - ET RBN Known Russian Business Network IP TCP (255) (emerging-rbn.rules) 2406509 - ET RBN Known Russian Business Network IP UDP (255) (emerging-rbn.rules) 2406510 - ET RBN Known Russian Business Network IP TCP (256) (emerging-rbn.rules) 2406511 - ET RBN Known Russian Business Network IP UDP (256) (emerging-rbn.rules) 2406512 - ET RBN Known Russian Business Network IP TCP (257) (emerging-rbn.rules) 2406513 - ET RBN Known Russian Business Network IP UDP (257) (emerging-rbn.rules) 2406514 - ET RBN Known Russian Business Network IP TCP (258) (emerging-rbn.rules) 2406515 - ET RBN Known Russian Business Network IP UDP (258) (emerging-rbn.rules) 2406516 - ET RBN Known Russian Business Network IP TCP (259) (emerging-rbn.rules) 2406517 - ET RBN Known Russian Business Network IP UDP (259) (emerging-rbn.rules) 2406518 - ET RBN Known Russian Business Network IP TCP (260) (emerging-rbn.rules) 2406519 - ET RBN Known Russian Business Network IP UDP (260) (emerging-rbn.rules) 2406520 - ET RBN Known Russian Business Network IP TCP (261) (emerging-rbn.rules) 2406521 - ET RBN Known Russian Business Network IP UDP (261) (emerging-rbn.rules) 2406522 - ET RBN Known Russian Business Network IP TCP (262) (emerging-rbn.rules) 2406523 - ET RBN Known Russian Business Network IP UDP (262) (emerging-rbn.rules) 2406524 - ET RBN Known Russian Business Network IP TCP (263) (emerging-rbn.rules) 2406525 - ET RBN Known Russian Business Network IP UDP (263) (emerging-rbn.rules) 2406526 - ET RBN Known Russian Business Network IP TCP (264) (emerging-rbn.rules) 2406527 - ET RBN Known Russian Business Network IP UDP (264) (emerging-rbn.rules) 2406528 - ET RBN Known Russian Business Network IP TCP (265) (emerging-rbn.rules) 2406529 - ET RBN Known Russian Business Network IP UDP (265) (emerging-rbn.rules) 2406530 - ET RBN Known Russian Business Network IP TCP (266) (emerging-rbn.rules) 2406531 - ET RBN Known Russian Business Network IP UDP (266) (emerging-rbn.rules) 2406532 - ET RBN Known Russian Business Network IP TCP (267) (emerging-rbn.rules) 2406533 - ET RBN Known Russian Business Network IP UDP (267) (emerging-rbn.rules) 2406534 - ET RBN Known Russian Business Network IP TCP (268) (emerging-rbn.rules) 2406535 - ET RBN Known Russian Business Network IP UDP (268) (emerging-rbn.rules) 2406536 - ET RBN Known Russian Business Network IP TCP (269) (emerging-rbn.rules) 2406537 - ET RBN Known Russian Business Network IP UDP (269) (emerging-rbn.rules) 2406538 - ET RBN Known Russian Business Network IP TCP (270) (emerging-rbn.rules) 2406539 - ET RBN Known Russian Business Network IP UDP (270) (emerging-rbn.rules) 2406540 - ET RBN Known Russian Business Network IP TCP (271) (emerging-rbn.rules) 2406541 - ET RBN Known Russian Business Network IP UDP (271) (emerging-rbn.rules) 2406542 - ET RBN Known Russian Business Network IP TCP (272) (emerging-rbn.rules) 2406543 - ET RBN Known Russian Business Network IP UDP (272) (emerging-rbn.rules) 2406544 - ET RBN Known Russian Business Network IP TCP (273) (emerging-rbn.rules) 2406545 - ET RBN Known Russian Business Network IP UDP (273) (emerging-rbn.rules) 2406546 - ET RBN Known Russian Business Network IP TCP (274) (emerging-rbn.rules) 2406547 - ET RBN Known Russian Business Network IP UDP (274) (emerging-rbn.rules) 2406548 - ET RBN Known Russian Business Network IP TCP (275) (emerging-rbn.rules) 2406549 - ET RBN Known Russian Business Network IP UDP (275) (emerging-rbn.rules) 2406550 - ET RBN Known Russian Business Network IP TCP (276) (emerging-rbn.rules) 2406551 - ET RBN Known Russian Business Network IP UDP (276) (emerging-rbn.rules) 2406552 - ET RBN Known Russian Business Network IP TCP (277) (emerging-rbn.rules) 2406553 - ET RBN Known Russian Business Network IP UDP (277) (emerging-rbn.rules) 2406554 - ET RBN Known Russian Business Network IP TCP (278) (emerging-rbn.rules) 2406555 - ET RBN Known Russian Business Network IP UDP (278) (emerging-rbn.rules) 2406556 - ET RBN Known Russian Business Network IP TCP (279) (emerging-rbn.rules) 2406557 - ET RBN Known Russian Business Network IP UDP (279) (emerging-rbn.rules) 2406558 - ET RBN Known Russian Business Network IP TCP (280) (emerging-rbn.rules) 2406559 - ET RBN Known Russian Business Network IP UDP (280) (emerging-rbn.rules) 2406560 - ET RBN Known Russian Business Network IP TCP (281) (emerging-rbn.rules) 2406561 - ET RBN Known Russian Business Network IP UDP (281) (emerging-rbn.rules) 2406562 - ET RBN Known Russian Business Network IP TCP (282) (emerging-rbn.rules) 2406563 - ET RBN Known Russian Business Network IP UDP (282) (emerging-rbn.rules) 2406564 - ET RBN Known Russian Business Network IP TCP (283) (emerging-rbn.rules) 2406565 - ET RBN Known Russian Business Network IP UDP (283) (emerging-rbn.rules) 2406566 - ET RBN Known Russian Business Network IP TCP (284) (emerging-rbn.rules) 2406567 - ET RBN Known Russian Business Network IP UDP (284) (emerging-rbn.rules) 2406568 - ET RBN Known Russian Business Network IP TCP (285) (emerging-rbn.rules) 2406569 - ET RBN Known Russian Business Network IP UDP (285) (emerging-rbn.rules) 2406570 - ET RBN Known Russian Business Network IP TCP (286) (emerging-rbn.rules) 2406571 - ET RBN Known Russian Business Network IP UDP (286) (emerging-rbn.rules) 2406572 - ET RBN Known Russian Business Network IP TCP (287) (emerging-rbn.rules) 2406573 - ET RBN Known Russian Business Network IP UDP (287) (emerging-rbn.rules) 2406574 - ET RBN Known Russian Business Network IP TCP (288) (emerging-rbn.rules) 2406575 - ET RBN Known Russian Business Network IP UDP (288) (emerging-rbn.rules) 2406576 - ET RBN Known Russian Business Network IP TCP (289) (emerging-rbn.rules) 2406577 - ET RBN Known Russian Business Network IP UDP (289) (emerging-rbn.rules) 2406578 - ET RBN Known Russian Business Network IP TCP (290) (emerging-rbn.rules) 2406579 - ET RBN Known Russian Business Network IP UDP (290) (emerging-rbn.rules) 2406580 - ET RBN Known Russian Business Network IP TCP (291) (emerging-rbn.rules) 2406581 - ET RBN Known Russian Business Network IP UDP (291) (emerging-rbn.rules) 2406582 - ET RBN Known Russian Business Network IP TCP (292) (emerging-rbn.rules) 2406583 - ET RBN Known Russian Business Network IP UDP (292) (emerging-rbn.rules) 2406584 - ET RBN Known Russian Business Network IP TCP (293) (emerging-rbn.rules) 2406585 - ET RBN Known Russian Business Network IP UDP (293) (emerging-rbn.rules) 2406586 - ET RBN Known Russian Business Network IP TCP (294) (emerging-rbn.rules) 2406587 - ET RBN Known Russian Business Network IP UDP (294) (emerging-rbn.rules) 2406588 - ET RBN Known Russian Business Network IP TCP (295) (emerging-rbn.rules) 2406589 - ET RBN Known Russian Business Network IP UDP (295) (emerging-rbn.rules) 2406590 - ET RBN Known Russian Business Network IP TCP (296) (emerging-rbn.rules) 2406591 - ET RBN Known Russian Business Network IP UDP (296) (emerging-rbn.rules) 2406592 - ET RBN Known Russian Business Network IP TCP (297) (emerging-rbn.rules) 2406593 - ET RBN Known Russian Business Network IP UDP (297) (emerging-rbn.rules) 2406594 - ET RBN Known Russian Business Network IP TCP (298) (emerging-rbn.rules) 2406595 - ET RBN Known Russian Business Network IP UDP (298) (emerging-rbn.rules) 2406596 - ET RBN Known Russian Business Network IP TCP (299) (emerging-rbn.rules) 2406597 - ET RBN Known Russian Business Network IP UDP (299) (emerging-rbn.rules) 2406598 - ET RBN Known Russian Business Network IP TCP (300) (emerging-rbn.rules) 2406599 - ET RBN Known Russian Business Network IP UDP (300) (emerging-rbn.rules) 2406600 - ET RBN Known Russian Business Network IP TCP (301) (emerging-rbn.rules) 2406601 - ET RBN Known Russian Business Network IP UDP (301) (emerging-rbn.rules) 2406602 - ET RBN Known Russian Business Network IP TCP (302) (emerging-rbn.rules) 2406603 - ET RBN Known Russian Business Network IP UDP (302) (emerging-rbn.rules) 2406604 - ET RBN Known Russian Business Network IP TCP (303) (emerging-rbn.rules) 2406605 - ET RBN Known Russian Business Network IP UDP (303) (emerging-rbn.rules) 2406606 - ET RBN Known Russian Business Network IP TCP (304) (emerging-rbn.rules) 2406607 - ET RBN Known Russian Business Network IP UDP (304) (emerging-rbn.rules) 2406608 - ET RBN Known Russian Business Network IP TCP (305) (emerging-rbn.rules) 2406609 - ET RBN Known Russian Business Network IP UDP (305) (emerging-rbn.rules) 2406610 - ET RBN Known Russian Business Network IP TCP (306) (emerging-rbn.rules) 2406611 - ET RBN Known Russian Business Network IP UDP (306) (emerging-rbn.rules) 2406612 - ET RBN Known Russian Business Network IP TCP (307) (emerging-rbn.rules) 2406613 - ET RBN Known Russian Business Network IP UDP (307) (emerging-rbn.rules) 2406614 - ET RBN Known Russian Business Network IP TCP (308) (emerging-rbn.rules) 2406615 - ET RBN Known Russian Business Network IP UDP (308) (emerging-rbn.rules) 2406616 - ET RBN Known Russian Business Network IP TCP (309) (emerging-rbn.rules) 2406617 - ET RBN Known Russian Business Network IP UDP (309) (emerging-rbn.rules) 2406618 - ET RBN Known Russian Business Network IP TCP (310) (emerging-rbn.rules) 2406619 - ET RBN Known Russian Business Network IP UDP (310) (emerging-rbn.rules) 2406620 - ET RBN Known Russian Business Network IP TCP (311) (emerging-rbn.rules) 2406621 - ET RBN Known Russian Business Network IP UDP (311) (emerging-rbn.rules) 2406622 - ET RBN Known Russian Business Network IP TCP (312) (emerging-rbn.rules) 2406623 - ET RBN Known Russian Business Network IP UDP (312) (emerging-rbn.rules) 2406624 - ET RBN Known Russian Business Network IP TCP (313) (emerging-rbn.rules) 2406625 - ET RBN Known Russian Business Network IP UDP (313) (emerging-rbn.rules) 2406626 - ET RBN Known Russian Business Network IP TCP (314) (emerging-rbn.rules) 2406627 - ET RBN Known Russian Business Network IP UDP (314) (emerging-rbn.rules) 2406628 - ET RBN Known Russian Business Network IP TCP (315) (emerging-rbn.rules) 2406629 - ET RBN Known Russian Business Network IP UDP (315) (emerging-rbn.rules) 2406630 - ET RBN Known Russian Business Network IP TCP (316) (emerging-rbn.rules) 2406631 - ET RBN Known Russian Business Network IP UDP (316) (emerging-rbn.rules) 2406632 - ET RBN Known Russian Business Network IP TCP (317) (emerging-rbn.rules) 2406633 - ET RBN Known Russian Business Network IP UDP (317) (emerging-rbn.rules) 2406634 - ET RBN Known Russian Business Network IP TCP (318) (emerging-rbn.rules) 2406635 - ET RBN Known Russian Business Network IP UDP (318) (emerging-rbn.rules) 2406636 - ET RBN Known Russian Business Network IP TCP (319) (emerging-rbn.rules) 2406637 - ET RBN Known Russian Business Network IP UDP (319) (emerging-rbn.rules) 2406638 - ET RBN Known Russian Business Network IP TCP (320) (emerging-rbn.rules) 2406639 - ET RBN Known Russian Business Network IP UDP (320) (emerging-rbn.rules) 2406640 - ET RBN Known Russian Business Network IP TCP (321) (emerging-rbn.rules) 2406641 - ET RBN Known Russian Business Network IP UDP (321) (emerging-rbn.rules) 2406642 - ET RBN Known Russian Business Network IP TCP (322) (emerging-rbn.rules) 2406643 - ET RBN Known Russian Business Network IP UDP (322) (emerging-rbn.rules) 2406644 - ET RBN Known Russian Business Network IP TCP (323) (emerging-rbn.rules) 2406645 - ET RBN Known Russian Business Network IP UDP (323) (emerging-rbn.rules) 2406646 - ET RBN Known Russian Business Network IP TCP (324) (emerging-rbn.rules) 2406647 - ET RBN Known Russian Business Network IP UDP (324) (emerging-rbn.rules) 2406648 - ET RBN Known Russian Business Network IP TCP (325) (emerging-rbn.rules) 2406649 - ET RBN Known Russian Business Network IP UDP (325) (emerging-rbn.rules) 2406650 - ET RBN Known Russian Business Network IP TCP (326) (emerging-rbn.rules) 2406651 - ET RBN Known Russian Business Network IP UDP (326) (emerging-rbn.rules) 2406652 - ET RBN Known Russian Business Network IP TCP (327) (emerging-rbn.rules) 2406653 - ET RBN Known Russian Business Network IP UDP (327) (emerging-rbn.rules) 2406654 - ET RBN Known Russian Business Network IP TCP (328) (emerging-rbn.rules) 2406655 - ET RBN Known Russian Business Network IP UDP (328) (emerging-rbn.rules) 2406656 - ET RBN Known Russian Business Network IP TCP (329) (emerging-rbn.rules) 2406657 - ET RBN Known Russian Business Network IP UDP (329) (emerging-rbn.rules) 2406658 - ET RBN Known Russian Business Network IP TCP (330) (emerging-rbn.rules) 2406659 - ET RBN Known Russian Business Network IP UDP (330) (emerging-rbn.rules) 2406660 - ET RBN Known Russian Business Network IP TCP (331) (emerging-rbn.rules) 2406661 - ET RBN Known Russian Business Network IP UDP (331) (emerging-rbn.rules) 2406662 - ET RBN Known Russian Business Network IP TCP (332) (emerging-rbn.rules) 2406663 - ET RBN Known Russian Business Network IP UDP (332) (emerging-rbn.rules) 2406664 - ET RBN Known Russian Business Network IP TCP (333) (emerging-rbn.rules) 2406665 - ET RBN Known Russian Business Network IP UDP (333) (emerging-rbn.rules) 2406666 - ET RBN Known Russian Business Network IP TCP (334) (emerging-rbn.rules) 2406667 - ET RBN Known Russian Business Network IP UDP (334) (emerging-rbn.rules) 2406668 - ET RBN Known Russian Business Network IP TCP (335) (emerging-rbn.rules) 2406669 - ET RBN Known Russian Business Network IP UDP (335) (emerging-rbn.rules) 2406670 - ET RBN Known Russian Business Network IP TCP (336) (emerging-rbn.rules) 2406671 - ET RBN Known Russian Business Network IP UDP (336) (emerging-rbn.rules) 2406672 - ET RBN Known Russian Business Network IP TCP (337) (emerging-rbn.rules) 2406673 - ET RBN Known Russian Business Network IP UDP (337) (emerging-rbn.rules) 2406674 - ET RBN Known Russian Business Network IP TCP (338) (emerging-rbn.rules) 2406675 - ET RBN Known Russian Business Network IP UDP (338) (emerging-rbn.rules) 2406676 - ET RBN Known Russian Business Network IP TCP (339) (emerging-rbn.rules) 2406677 - ET RBN Known Russian Business Network IP UDP (339) (emerging-rbn.rules) 2406678 - ET RBN Known Russian Business Network IP TCP (340) (emerging-rbn.rules) 2406679 - ET RBN Known Russian Business Network IP UDP (340) (emerging-rbn.rules) 2406680 - ET RBN Known Russian Business Network IP TCP (341) (emerging-rbn.rules) 2406681 - ET RBN Known Russian Business Network IP UDP (341) (emerging-rbn.rules) 2406682 - ET RBN Known Russian Business Network IP TCP (342) (emerging-rbn.rules) 2406683 - ET RBN Known Russian Business Network IP UDP (342) (emerging-rbn.rules) 2406684 - ET RBN Known Russian Business Network IP TCP (343) (emerging-rbn.rules) 2406685 - ET RBN Known Russian Business Network IP UDP (343) (emerging-rbn.rules) 2406686 - ET RBN Known Russian Business Network IP TCP (344) (emerging-rbn.rules) 2406687 - ET RBN Known Russian Business Network IP UDP (344) (emerging-rbn.rules) 2406688 - ET RBN Known Russian Business Network IP TCP (345) (emerging-rbn.rules) 2406689 - ET RBN Known Russian Business Network IP UDP (345) (emerging-rbn.rules) 2406690 - ET RBN Known Russian Business Network IP TCP (346) (emerging-rbn.rules) 2406691 - ET RBN Known Russian Business Network IP UDP (346) (emerging-rbn.rules) 2406692 - ET RBN Known Russian Business Network IP TCP (347) (emerging-rbn.rules) 2406693 - ET RBN Known Russian Business Network IP UDP (347) (emerging-rbn.rules) 2406694 - ET RBN Known Russian Business Network IP TCP (348) (emerging-rbn.rules) 2406695 - ET RBN Known Russian Business Network IP UDP (348) (emerging-rbn.rules) 2406696 - ET RBN Known Russian Business Network IP TCP (349) (emerging-rbn.rules) 2406697 - ET RBN Known Russian Business Network IP UDP (349) (emerging-rbn.rules) 2406698 - ET RBN Known Russian Business Network IP TCP (350) (emerging-rbn.rules) 2406699 - ET RBN Known Russian Business Network IP UDP (350) (emerging-rbn.rules) 2406700 - ET RBN Known Russian Business Network IP TCP (351) (emerging-rbn.rules) 2406701 - ET RBN Known Russian Business Network IP UDP (351) (emerging-rbn.rules) 2406702 - ET RBN Known Russian Business Network IP TCP (352) (emerging-rbn.rules) 2406703 - ET RBN Known Russian Business Network IP UDP (352) (emerging-rbn.rules) 2406704 - ET RBN Known Russian Business Network IP TCP (353) (emerging-rbn.rules) 2406705 - ET RBN Known Russian Business Network IP UDP (353) (emerging-rbn.rules) 2406706 - ET RBN Known Russian Business Network IP TCP (354) (emerging-rbn.rules) 2406707 - ET RBN Known Russian Business Network IP UDP (354) (emerging-rbn.rules) 2406708 - ET RBN Known Russian Business Network IP TCP (355) (emerging-rbn.rules) 2406709 - ET RBN Known Russian Business Network IP UDP (355) (emerging-rbn.rules) 2406710 - ET RBN Known Russian Business Network IP TCP (356) (emerging-rbn.rules) 2406711 - ET RBN Known Russian Business Network IP UDP (356) (emerging-rbn.rules) 2406712 - ET RBN Known Russian Business Network IP TCP (357) (emerging-rbn.rules) 2406713 - ET RBN Known Russian Business Network IP UDP (357) (emerging-rbn.rules) 2406714 - ET RBN Known Russian Business Network IP TCP (358) (emerging-rbn.rules) 2406715 - ET RBN Known Russian Business Network IP UDP (358) (emerging-rbn.rules) 2406716 - ET RBN Known Russian Business Network IP TCP (359) (emerging-rbn.rules) 2406717 - ET RBN Known Russian Business Network IP UDP (359) (emerging-rbn.rules) 2406718 - ET RBN Known Russian Business Network IP TCP (360) (emerging-rbn.rules) 2406719 - ET RBN Known Russian Business Network IP UDP (360) (emerging-rbn.rules) 2406720 - ET RBN Known Russian Business Network IP TCP (361) (emerging-rbn.rules) 2406721 - ET RBN Known Russian Business Network IP UDP (361) (emerging-rbn.rules) 2406722 - ET RBN Known Russian Business Network IP TCP (362) (emerging-rbn.rules) 2406723 - ET RBN Known Russian Business Network IP UDP (362) (emerging-rbn.rules) 2406724 - ET RBN Known Russian Business Network IP TCP (363) (emerging-rbn.rules) 2406725 - ET RBN Known Russian Business Network IP UDP (363) (emerging-rbn.rules) 2406726 - ET RBN Known Russian Business Network IP TCP (364) (emerging-rbn.rules) 2406727 - ET RBN Known Russian Business Network IP UDP (364) (emerging-rbn.rules) 2406728 - ET RBN Known Russian Business Network IP TCP (365) (emerging-rbn.rules) 2406729 - ET RBN Known Russian Business Network IP UDP (365) (emerging-rbn.rules) 2406730 - ET RBN Known Russian Business Network IP TCP (366) (emerging-rbn.rules) 2406731 - ET RBN Known Russian Business Network IP UDP (366) (emerging-rbn.rules) 2406732 - ET RBN Known Russian Business Network IP TCP (367) (emerging-rbn.rules) 2406733 - ET RBN Known Russian Business Network IP UDP (367) (emerging-rbn.rules) 2406734 - ET RBN Known Russian Business Network IP TCP (368) (emerging-rbn.rules) 2406735 - ET RBN Known Russian Business Network IP UDP (368) (emerging-rbn.rules) 2406736 - ET RBN Known Russian Business Network IP TCP (369) (emerging-rbn.rules) 2406737 - ET RBN Known Russian Business Network IP UDP (369) (emerging-rbn.rules) 2406738 - ET RBN Known Russian Business Network IP TCP (370) (emerging-rbn.rules) 2406739 - ET RBN Known Russian Business Network IP UDP (370) (emerging-rbn.rules) 2406740 - ET RBN Known Russian Business Network IP TCP (371) (emerging-rbn.rules) 2406741 - ET RBN Known Russian Business Network IP UDP (371) (emerging-rbn.rules) 2406742 - ET RBN Known Russian Business Network IP TCP (372) (emerging-rbn.rules) 2406743 - ET RBN Known Russian Business Network IP UDP (372) (emerging-rbn.rules) 2406744 - ET RBN Known Russian Business Network IP TCP (373) (emerging-rbn.rules) 2406745 - ET RBN Known Russian Business Network IP UDP (373) (emerging-rbn.rules) 2406746 - ET RBN Known Russian Business Network IP TCP (374) (emerging-rbn.rules) 2406747 - ET RBN Known Russian Business Network IP UDP (374) (emerging-rbn.rules) 2406748 - ET RBN Known Russian Business Network IP TCP (375) (emerging-rbn.rules) 2406749 - ET RBN Known Russian Business Network IP UDP (375) (emerging-rbn.rules) 2406750 - ET RBN Known Russian Business Network IP TCP (376) (emerging-rbn.rules) 2406751 - ET RBN Known Russian Business Network IP UDP (376) (emerging-rbn.rules) 2406752 - ET RBN Known Russian Business Network IP TCP (377) (emerging-rbn.rules) 2406753 - ET RBN Known Russian Business Network IP UDP (377) (emerging-rbn.rules) 2406754 - ET RBN Known Russian Business Network IP TCP (378) (emerging-rbn.rules) 2406755 - ET RBN Known Russian Business Network IP UDP (378) (emerging-rbn.rules) 2406756 - ET RBN Known Russian Business Network IP TCP (379) (emerging-rbn.rules) 2406757 - ET RBN Known Russian Business Network IP UDP (379) (emerging-rbn.rules) 2406758 - ET RBN Known Russian Business Network IP TCP (380) (emerging-rbn.rules) 2406759 - ET RBN Known Russian Business Network IP UDP (380) (emerging-rbn.rules) 2406760 - ET RBN Known Russian Business Network IP TCP (381) (emerging-rbn.rules) 2406761 - ET RBN Known Russian Business Network IP UDP (381) (emerging-rbn.rules) 2406762 - ET RBN Known Russian Business Network IP TCP (382) (emerging-rbn.rules) 2406763 - ET RBN Known Russian Business Network IP UDP (382) (emerging-rbn.rules) 2406764 - ET RBN Known Russian Business Network IP TCP (383) (emerging-rbn.rules) 2406765 - ET RBN Known Russian Business Network IP UDP (383) (emerging-rbn.rules) 2406766 - ET RBN Known Russian Business Network IP TCP (384) (emerging-rbn.rules) 2406767 - ET RBN Known Russian Business Network IP UDP (384) (emerging-rbn.rules) 2406768 - ET RBN Known Russian Business Network IP TCP (385) (emerging-rbn.rules) 2406769 - ET RBN Known Russian Business Network IP UDP (385) (emerging-rbn.rules) 2406770 - ET RBN Known Russian Business Network IP TCP (386) (emerging-rbn.rules) 2406771 - ET RBN Known Russian Business Network IP UDP (386) (emerging-rbn.rules) 2406772 - ET RBN Known Russian Business Network IP TCP (387) (emerging-rbn.rules) 2406773 - ET RBN Known Russian Business Network IP UDP (387) (emerging-rbn.rules) 2406774 - ET RBN Known Russian Business Network IP TCP (388) (emerging-rbn.rules) 2406775 - ET RBN Known Russian Business Network IP UDP (388) (emerging-rbn.rules) 2406776 - ET RBN Known Russian Business Network IP TCP (389) (emerging-rbn.rules) 2406777 - ET RBN Known Russian Business Network IP UDP (389) (emerging-rbn.rules) 2406778 - ET RBN Known Russian Business Network IP TCP (390) (emerging-rbn.rules) 2406779 - ET RBN Known Russian Business Network IP UDP (390) (emerging-rbn.rules) 2406780 - ET RBN Known Russian Business Network IP TCP (391) (emerging-rbn.rules) 2406781 - ET RBN Known Russian Business Network IP UDP (391) (emerging-rbn.rules) 2406782 - ET RBN Known Russian Business Network IP TCP (392) (emerging-rbn.rules) 2406783 - ET RBN Known Russian Business Network IP UDP (392) (emerging-rbn.rules) 2406784 - ET RBN Known Russian Business Network IP TCP (393) (emerging-rbn.rules) 2406785 - ET RBN Known Russian Business Network IP UDP (393) (emerging-rbn.rules) 2406786 - ET RBN Known Russian Business Network IP TCP (394) (emerging-rbn.rules) 2406787 - ET RBN Known Russian Business Network IP UDP (394) (emerging-rbn.rules) 2406788 - ET RBN Known Russian Business Network IP TCP (395) (emerging-rbn.rules) 2406789 - ET RBN Known Russian Business Network IP UDP (395) (emerging-rbn.rules) 2406790 - ET RBN Known Russian Business Network IP TCP (396) (emerging-rbn.rules) 2406791 - ET RBN Known Russian Business Network IP UDP (396) (emerging-rbn.rules) 2406792 - ET RBN Known Russian Business Network IP TCP (397) (emerging-rbn.rules) 2406793 - ET RBN Known Russian Business Network IP UDP (397) (emerging-rbn.rules) 2406794 - ET RBN Known Russian Business Network IP TCP (398) (emerging-rbn.rules) 2406795 - ET RBN Known Russian Business Network IP UDP (398) (emerging-rbn.rules) 2406796 - ET RBN Known Russian Business Network IP TCP (399) (emerging-rbn.rules) 2406797 - ET RBN Known Russian Business Network IP UDP (399) (emerging-rbn.rules) 2406798 - ET RBN Known Russian Business Network IP TCP (400) (emerging-rbn.rules) 2406799 - ET RBN Known Russian Business Network IP UDP (400) (emerging-rbn.rules) 2406800 - ET RBN Known Russian Business Network IP TCP (401) (emerging-rbn.rules) 2406801 - ET RBN Known Russian Business Network IP UDP (401) (emerging-rbn.rules) 2406802 - ET RBN Known Russian Business Network IP TCP (402) (emerging-rbn.rules) 2406803 - ET RBN Known Russian Business Network IP UDP (402) (emerging-rbn.rules) 2406804 - ET RBN Known Russian Business Network IP TCP (403) (emerging-rbn.rules) 2406805 - ET RBN Known Russian Business Network IP UDP (403) (emerging-rbn.rules) 2406806 - ET RBN Known Russian Business Network IP TCP (404) (emerging-rbn.rules) 2406807 - ET RBN Known Russian Business Network IP UDP (404) (emerging-rbn.rules) 2406808 - ET RBN Known Russian Business Network IP TCP (405) (emerging-rbn.rules) 2406809 - ET RBN Known Russian Business Network IP UDP (405) (emerging-rbn.rules) 2406810 - ET RBN Known Russian Business Network IP TCP (406) (emerging-rbn.rules) 2406811 - ET RBN Known Russian Business Network IP UDP (406) (emerging-rbn.rules) 2406812 - ET RBN Known Russian Business Network IP TCP (407) (emerging-rbn.rules) 2406813 - ET RBN Known Russian Business Network IP UDP (407) (emerging-rbn.rules) 2406814 - ET RBN Known Russian Business Network IP TCP (408) (emerging-rbn.rules) 2406815 - ET RBN Known Russian Business Network IP UDP (408) (emerging-rbn.rules) 2406816 - ET RBN Known Russian Business Network IP TCP (409) (emerging-rbn.rules) 2406817 - ET RBN Known Russian Business Network IP UDP (409) (emerging-rbn.rules) 2406818 - ET RBN Known Russian Business Network IP TCP (410) (emerging-rbn.rules) 2406819 - ET RBN Known Russian Business Network IP UDP (410) (emerging-rbn.rules) 2406820 - ET RBN Known Russian Business Network IP TCP (411) (emerging-rbn.rules) 2406821 - ET RBN Known Russian Business Network IP UDP (411) (emerging-rbn.rules) 2406822 - ET RBN Known Russian Business Network IP TCP (412) (emerging-rbn.rules) 2406823 - ET RBN Known Russian Business Network IP UDP (412) (emerging-rbn.rules) 2406824 - ET RBN Known Russian Business Network IP TCP (413) (emerging-rbn.rules) 2406825 - ET RBN Known Russian Business Network IP UDP (413) (emerging-rbn.rules) 2406826 - ET RBN Known Russian Business Network IP TCP (414) (emerging-rbn.rules) 2406827 - ET RBN Known Russian Business Network IP UDP (414) (emerging-rbn.rules) 2406828 - ET RBN Known Russian Business Network IP TCP (415) (emerging-rbn.rules) 2406829 - ET RBN Known Russian Business Network IP UDP (415) (emerging-rbn.rules) 2406830 - ET RBN Known Russian Business Network IP TCP (416) (emerging-rbn.rules) 2406831 - ET RBN Known Russian Business Network IP UDP (416) (emerging-rbn.rules) 2406832 - ET RBN Known Russian Business Network IP TCP (417) (emerging-rbn.rules) 2406833 - ET RBN Known Russian Business Network IP UDP (417) (emerging-rbn.rules) 2406834 - ET RBN Known Russian Business Network IP TCP (418) (emerging-rbn.rules) 2406835 - ET RBN Known Russian Business Network IP UDP (418) (emerging-rbn.rules) 2406836 - ET RBN Known Russian Business Network IP TCP (419) (emerging-rbn.rules) 2406837 - ET RBN Known Russian Business Network IP UDP (419) (emerging-rbn.rules) 2406838 - ET RBN Known Russian Business Network IP TCP (420) (emerging-rbn.rules) 2406839 - ET RBN Known Russian Business Network IP UDP (420) (emerging-rbn.rules) 2406840 - ET RBN Known Russian Business Network IP TCP (421) (emerging-rbn.rules) 2406841 - ET RBN Known Russian Business Network IP UDP (421) (emerging-rbn.rules) 2406842 - ET RBN Known Russian Business Network IP TCP (422) (emerging-rbn.rules) 2406843 - ET RBN Known Russian Business Network IP UDP (422) (emerging-rbn.rules) 2406844 - ET RBN Known Russian Business Network IP TCP (423) (emerging-rbn.rules) 2406845 - ET RBN Known Russian Business Network IP UDP (423) (emerging-rbn.rules) 2406846 - ET RBN Known Russian Business Network IP TCP (424) (emerging-rbn.rules) 2406847 - ET RBN Known Russian Business Network IP UDP (424) (emerging-rbn.rules) 2406848 - ET RBN Known Russian Business Network IP TCP (425) (emerging-rbn.rules) 2406849 - ET RBN Known Russian Business Network IP UDP (425) (emerging-rbn.rules) 2406850 - ET RBN Known Russian Business Network IP TCP (426) (emerging-rbn.rules) 2406851 - ET RBN Known Russian Business Network IP UDP (426) (emerging-rbn.rules) 2406852 - ET RBN Known Russian Business Network IP TCP (427) (emerging-rbn.rules) 2406853 - ET RBN Known Russian Business Network IP UDP (427) (emerging-rbn.rules) 2406854 - ET RBN Known Russian Business Network IP TCP (428) (emerging-rbn.rules) 2406855 - ET RBN Known Russian Business Network IP UDP (428) (emerging-rbn.rules) 2406856 - ET RBN Known Russian Business Network IP TCP (429) (emerging-rbn.rules) 2406857 - ET RBN Known Russian Business Network IP UDP (429) (emerging-rbn.rules) 2406858 - ET RBN Known Russian Business Network IP TCP (430) (emerging-rbn.rules) 2406859 - ET RBN Known Russian Business Network IP UDP (430) (emerging-rbn.rules) 2406860 - ET RBN Known Russian Business Network IP TCP (431) (emerging-rbn.rules) 2406861 - ET RBN Known Russian Business Network IP UDP (431) (emerging-rbn.rules) 2406862 - ET RBN Known Russian Business Network IP TCP (432) (emerging-rbn.rules) 2406863 - ET RBN Known Russian Business Network IP UDP (432) (emerging-rbn.rules) 2406864 - ET RBN Known Russian Business Network IP TCP (433) (emerging-rbn.rules) 2406865 - ET RBN Known Russian Business Network IP UDP (433) (emerging-rbn.rules) 2406866 - ET RBN Known Russian Business Network IP TCP (434) (emerging-rbn.rules) 2406867 - ET RBN Known Russian Business Network IP UDP (434) (emerging-rbn.rules) 2406868 - ET RBN Known Russian Business Network IP TCP (435) (emerging-rbn.rules) 2406869 - ET RBN Known Russian Business Network IP UDP (435) (emerging-rbn.rules) 2406870 - ET RBN Known Russian Business Network IP TCP (436) (emerging-rbn.rules) 2406871 - ET RBN Known Russian Business Network IP UDP (436) (emerging-rbn.rules) 2406872 - ET RBN Known Russian Business Network IP TCP (437) (emerging-rbn.rules) 2406873 - ET RBN Known Russian Business Network IP UDP (437) (emerging-rbn.rules) 2406874 - ET RBN Known Russian Business Network IP TCP (438) (emerging-rbn.rules) 2406875 - ET RBN Known Russian Business Network IP UDP (438) (emerging-rbn.rules) 2406876 - ET RBN Known Russian Business Network IP TCP (439) (emerging-rbn.rules) 2406877 - ET RBN Known Russian Business Network IP UDP (439) (emerging-rbn.rules) 2406878 - ET RBN Known Russian Business Network IP TCP (440) (emerging-rbn.rules) 2406879 - ET RBN Known Russian Business Network IP UDP (440) (emerging-rbn.rules) 2406880 - ET RBN Known Russian Business Network IP TCP (441) (emerging-rbn.rules) 2406881 - ET RBN Known Russian Business Network IP UDP (441) (emerging-rbn.rules) 2406882 - ET RBN Known Russian Business Network IP TCP (442) (emerging-rbn.rules) 2406883 - ET RBN Known Russian Business Network IP UDP (442) (emerging-rbn.rules) 2406884 - ET RBN Known Russian Business Network IP TCP (443) (emerging-rbn.rules) 2406885 - ET RBN Known Russian Business Network IP UDP (443) (emerging-rbn.rules) 2406886 - ET RBN Known Russian Business Network IP TCP (444) (emerging-rbn.rules) 2406887 - ET RBN Known Russian Business Network IP UDP (444) (emerging-rbn.rules) 2406888 - ET RBN Known Russian Business Network IP TCP (445) (emerging-rbn.rules) 2406889 - ET RBN Known Russian Business Network IP UDP (445) (emerging-rbn.rules) 2406890 - ET RBN Known Russian Business Network IP TCP (446) (emerging-rbn.rules) 2406891 - ET RBN Known Russian Business Network IP UDP (446) (emerging-rbn.rules) 2406892 - ET RBN Known Russian Business Network IP TCP (447) (emerging-rbn.rules) 2406893 - ET RBN Known Russian Business Network IP UDP (447) (emerging-rbn.rules) 2406894 - ET RBN Known Russian Business Network IP TCP (448) (emerging-rbn.rules) 2406895 - ET RBN Known Russian Business Network IP UDP (448) (emerging-rbn.rules) 2406896 - ET RBN Known Russian Business Network IP TCP (449) (emerging-rbn.rules) 2406897 - ET RBN Known Russian Business Network IP UDP (449) (emerging-rbn.rules) 2406898 - ET RBN Known Russian Business Network IP TCP (450) (emerging-rbn.rules) 2406899 - ET RBN Known Russian Business Network IP UDP (450) (emerging-rbn.rules) 2406900 - ET RBN Known Russian Business Network IP TCP (451) (emerging-rbn.rules) 2406901 - ET RBN Known Russian Business Network IP UDP (451) (emerging-rbn.rules) 2406902 - ET RBN Known Russian Business Network IP TCP (452) (emerging-rbn.rules) 2406903 - ET RBN Known Russian Business Network IP UDP (452) (emerging-rbn.rules) 2406904 - ET RBN Known Russian Business Network IP TCP (453) (emerging-rbn.rules) 2406905 - ET RBN Known Russian Business Network IP UDP (453) (emerging-rbn.rules) 2406906 - ET RBN Known Russian Business Network IP TCP (454) (emerging-rbn.rules) 2406907 - ET RBN Known Russian Business Network IP UDP (454) (emerging-rbn.rules) 2406908 - ET RBN Known Russian Business Network IP TCP (455) (emerging-rbn.rules) 2406909 - ET RBN Known Russian Business Network IP UDP (455) (emerging-rbn.rules) 2406910 - ET RBN Known Russian Business Network IP TCP (456) (emerging-rbn.rules) 2406911 - ET RBN Known Russian Business Network IP UDP (456) (emerging-rbn.rules) 2406912 - ET RBN Known Russian Business Network IP TCP (457) (emerging-rbn.rules) 2406913 - ET RBN Known Russian Business Network IP UDP (457) (emerging-rbn.rules) 2406914 - ET RBN Known Russian Business Network IP TCP (458) (emerging-rbn.rules) 2406915 - ET RBN Known Russian Business Network IP UDP (458) (emerging-rbn.rules) 2406916 - ET RBN Known Russian Business Network IP TCP (459) (emerging-rbn.rules) 2406917 - ET RBN Known Russian Business Network IP UDP (459) (emerging-rbn.rules) 2406918 - ET RBN Known Russian Business Network IP TCP (460) (emerging-rbn.rules) 2406919 - ET RBN Known Russian Business Network IP UDP (460) (emerging-rbn.rules) 2406920 - ET RBN Known Russian Business Network IP TCP (461) (emerging-rbn.rules) 2406921 - ET RBN Known Russian Business Network IP UDP (461) (emerging-rbn.rules) 2406922 - ET RBN Known Russian Business Network IP TCP (462) (emerging-rbn.rules) 2406923 - ET RBN Known Russian Business Network IP UDP (462) (emerging-rbn.rules) 2406924 - ET RBN Known Russian Business Network IP TCP (463) (emerging-rbn.rules) 2406925 - ET RBN Known Russian Business Network IP UDP (463) (emerging-rbn.rules) 2406926 - ET RBN Known Russian Business Network IP TCP (464) (emerging-rbn.rules) 2406927 - ET RBN Known Russian Business Network IP UDP (464) (emerging-rbn.rules) 2406928 - ET RBN Known Russian Business Network IP TCP (465) (emerging-rbn.rules) 2406929 - ET RBN Known Russian Business Network IP UDP (465) (emerging-rbn.rules) 2406930 - ET RBN Known Russian Business Network IP TCP (466) (emerging-rbn.rules) 2406931 - ET RBN Known Russian Business Network IP UDP (466) (emerging-rbn.rules) 2406932 - ET RBN Known Russian Business Network IP TCP (467) (emerging-rbn.rules) 2406933 - ET RBN Known Russian Business Network IP UDP (467) (emerging-rbn.rules) 2406934 - ET RBN Known Russian Business Network IP TCP (468) (emerging-rbn.rules) 2406935 - ET RBN Known Russian Business Network IP UDP (468) (emerging-rbn.rules) 2406936 - ET RBN Known Russian Business Network IP TCP (469) (emerging-rbn.rules) 2406937 - ET RBN Known Russian Business Network IP UDP (469) (emerging-rbn.rules) 2406938 - ET RBN Known Russian Business Network IP TCP (470) (emerging-rbn.rules) 2406939 - ET RBN Known Russian Business Network IP UDP (470) (emerging-rbn.rules) 2406940 - ET RBN Known Russian Business Network IP TCP (471) (emerging-rbn.rules) 2406941 - ET RBN Known Russian Business Network IP UDP (471) (emerging-rbn.rules) 2406942 - ET RBN Known Russian Business Network IP TCP (472) (emerging-rbn.rules) 2406943 - ET RBN Known Russian Business Network IP UDP (472) (emerging-rbn.rules) 2406944 - ET RBN Known Russian Business Network IP TCP (473) (emerging-rbn.rules) 2406945 - ET RBN Known Russian Business Network IP UDP (473) (emerging-rbn.rules) 2406946 - ET RBN Known Russian Business Network IP TCP (474) (emerging-rbn.rules) 2406947 - ET RBN Known Russian Business Network IP UDP (474) (emerging-rbn.rules) 2406948 - ET RBN Known Russian Business Network IP TCP (475) (emerging-rbn.rules) 2406949 - ET RBN Known Russian Business Network IP UDP (475) (emerging-rbn.rules) 2406950 - ET RBN Known Russian Business Network IP TCP (476) (emerging-rbn.rules) 2406951 - ET RBN Known Russian Business Network IP UDP (476) (emerging-rbn.rules) 2406952 - ET RBN Known Russian Business Network IP TCP (477) (emerging-rbn.rules) 2406953 - ET RBN Known Russian Business Network IP UDP (477) (emerging-rbn.rules) 2406954 - ET RBN Known Russian Business Network IP TCP (478) (emerging-rbn.rules) 2406955 - ET RBN Known Russian Business Network IP UDP (478) (emerging-rbn.rules) 2406956 - ET RBN Known Russian Business Network IP TCP (479) (emerging-rbn.rules) 2406957 - ET RBN Known Russian Business Network IP UDP (479) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network IP TCP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network IP UDP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network IP TCP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network IP UDP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network IP TCP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network IP UDP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network IP TCP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network IP UDP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network IP TCP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network IP UDP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network IP TCP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network IP UDP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network IP TCP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network IP UDP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network IP TCP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network IP UDP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network IP TCP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network IP UDP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network IP TCP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network IP UDP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network IP TCP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network IP UDP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network IP TCP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network IP UDP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network IP TCP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network IP UDP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network IP TCP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network IP UDP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network IP TCP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network IP UDP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network IP TCP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network IP UDP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network IP TCP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network IP UDP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network IP TCP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network IP UDP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network IP TCP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network IP UDP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network IP TCP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network IP UDP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network IP TCP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network IP UDP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network IP TCP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network IP UDP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network IP TCP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network IP UDP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network IP TCP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network IP UDP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network IP TCP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network IP UDP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network IP TCP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network IP UDP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network IP TCP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network IP UDP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network IP TCP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network IP UDP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network IP TCP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network IP UDP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network IP TCP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network IP UDP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network IP TCP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network IP UDP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network IP TCP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network IP UDP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network IP TCP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network IP UDP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network IP TCP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network IP UDP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network IP TCP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network IP UDP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network IP TCP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network IP UDP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network IP TCP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network IP UDP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network IP TCP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network IP UDP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network IP TCP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network IP UDP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network IP TCP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network IP UDP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network IP TCP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network IP UDP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network IP TCP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network IP UDP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network IP TCP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network IP UDP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network IP TCP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network IP UDP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network IP TCP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network IP UDP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network IP TCP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network IP UDP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network IP TCP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network IP UDP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network IP TCP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network IP UDP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network IP TCP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network IP UDP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network IP TCP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network IP UDP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network IP TCP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network IP UDP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network IP TCP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network IP UDP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network IP TCP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network IP UDP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network IP TCP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network IP UDP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network IP TCP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network IP UDP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network IP TCP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network IP UDP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network IP TCP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network IP UDP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network IP TCP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network IP UDP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network IP TCP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network IP UDP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network IP TCP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network IP UDP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network IP TCP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network IP UDP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network IP TCP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network IP UDP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network IP TCP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network IP UDP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network IP TCP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network IP UDP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network IP TCP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network IP UDP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network IP TCP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network IP UDP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network IP TCP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network IP UDP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network IP TCP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network IP UDP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network IP TCP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network IP UDP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network IP TCP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network IP UDP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network IP TCP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network IP UDP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network IP TCP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network IP UDP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network IP TCP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network IP UDP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network IP TCP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network IP UDP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network IP TCP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network IP UDP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network IP TCP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network IP UDP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network IP TCP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network IP UDP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network IP TCP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network IP UDP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network IP TCP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network IP UDP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network IP TCP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network IP UDP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network IP TCP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network IP UDP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network IP TCP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network IP UDP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network IP TCP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network IP UDP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network IP TCP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network IP UDP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network IP TCP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network IP UDP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network IP TCP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network IP UDP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network IP TCP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network IP UDP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network IP TCP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network IP UDP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network IP TCP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network IP UDP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network IP TCP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network IP UDP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network IP TCP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network IP UDP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network IP TCP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network IP UDP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network IP TCP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network IP UDP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network IP TCP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network IP UDP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network IP TCP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network IP UDP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network IP TCP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network IP UDP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network IP TCP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network IP UDP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network IP TCP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network IP UDP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network IP TCP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network IP UDP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network IP TCP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network IP UDP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network IP TCP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network IP UDP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network IP TCP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network IP UDP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network IP TCP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network IP UDP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network IP TCP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network IP UDP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network IP TCP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network IP UDP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network IP TCP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network IP UDP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network IP TCP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network IP UDP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network IP TCP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network IP UDP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network IP TCP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network IP UDP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network IP TCP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network IP UDP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network IP TCP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network IP UDP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network IP TCP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network IP UDP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network IP TCP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network IP UDP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network IP TCP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network IP UDP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network IP TCP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network IP UDP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network IP TCP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network IP UDP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network IP TCP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network IP UDP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network IP TCP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network IP UDP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network IP TCP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network IP UDP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network IP TCP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network IP UDP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network IP TCP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network IP UDP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network IP TCP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network IP UDP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network IP TCP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network IP UDP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network IP TCP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network IP UDP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network IP TCP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network IP UDP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network IP TCP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network IP UDP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network IP TCP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network IP UDP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network IP TCP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network IP UDP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network IP TCP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network IP UDP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network IP TCP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network IP UDP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network IP TCP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network IP UDP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network IP TCP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network IP UDP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network IP TCP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network IP UDP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network IP TCP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network IP UDP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network IP TCP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network IP UDP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network IP TCP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network IP UDP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network IP TCP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network IP UDP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network IP TCP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network IP UDP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network IP TCP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network IP UDP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network IP TCP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network IP UDP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network IP TCP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network IP UDP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network IP TCP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network IP UDP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network IP TCP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network IP UDP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network IP TCP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network IP UDP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network IP TCP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network IP UDP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network IP TCP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network IP UDP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network IP TCP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network IP UDP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network IP TCP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network IP UDP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network IP TCP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network IP UDP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network IP TCP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network IP UDP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network IP TCP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network IP UDP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network IP TCP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network IP UDP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network IP TCP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network IP UDP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network IP TCP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network IP UDP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network IP TCP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network IP UDP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network IP TCP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network IP UDP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network IP TCP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network IP UDP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network IP TCP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network IP UDP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network IP TCP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407317 - ET RBN Known Russian Business Network IP UDP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407318 - ET RBN Known Russian Business Network IP TCP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407319 - ET RBN Known Russian Business Network IP UDP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407320 - ET RBN Known Russian Business Network IP TCP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407321 - ET RBN Known Russian Business Network IP UDP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407322 - ET RBN Known Russian Business Network IP TCP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407323 - ET RBN Known Russian Business Network IP UDP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407324 - ET RBN Known Russian Business Network IP TCP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407325 - ET RBN Known Russian Business Network IP UDP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407326 - ET RBN Known Russian Business Network IP TCP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407327 - ET RBN Known Russian Business Network IP UDP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407328 - ET RBN Known Russian Business Network IP TCP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407329 - ET RBN Known Russian Business Network IP UDP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407330 - ET RBN Known Russian Business Network IP TCP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407331 - ET RBN Known Russian Business Network IP UDP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407332 - ET RBN Known Russian Business Network IP TCP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407333 - ET RBN Known Russian Business Network IP UDP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407334 - ET RBN Known Russian Business Network IP TCP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407335 - ET RBN Known Russian Business Network IP UDP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407336 - ET RBN Known Russian Business Network IP TCP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407337 - ET RBN Known Russian Business Network IP UDP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407338 - ET RBN Known Russian Business Network IP TCP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407339 - ET RBN Known Russian Business Network IP UDP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407340 - ET RBN Known Russian Business Network IP TCP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407341 - ET RBN Known Russian Business Network IP UDP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407342 - ET RBN Known Russian Business Network IP TCP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407343 - ET RBN Known Russian Business Network IP UDP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407344 - ET RBN Known Russian Business Network IP TCP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407345 - ET RBN Known Russian Business Network IP UDP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407346 - ET RBN Known Russian Business Network IP TCP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407347 - ET RBN Known Russian Business Network IP UDP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407348 - ET RBN Known Russian Business Network IP TCP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407349 - ET RBN Known Russian Business Network IP UDP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407350 - ET RBN Known Russian Business Network IP TCP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407351 - ET RBN Known Russian Business Network IP UDP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407352 - ET RBN Known Russian Business Network IP TCP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407353 - ET RBN Known Russian Business Network IP UDP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407354 - ET RBN Known Russian Business Network IP TCP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407355 - ET RBN Known Russian Business Network IP UDP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407356 - ET RBN Known Russian Business Network IP TCP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407357 - ET RBN Known Russian Business Network IP UDP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407358 - ET RBN Known Russian Business Network IP TCP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407359 - ET RBN Known Russian Business Network IP UDP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407360 - ET RBN Known Russian Business Network IP TCP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407361 - ET RBN Known Russian Business Network IP UDP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407362 - ET RBN Known Russian Business Network IP TCP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407363 - ET RBN Known Russian Business Network IP UDP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407364 - ET RBN Known Russian Business Network IP TCP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407365 - ET RBN Known Russian Business Network IP UDP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407366 - ET RBN Known Russian Business Network IP TCP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407367 - ET RBN Known Russian Business Network IP UDP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407368 - ET RBN Known Russian Business Network IP TCP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407369 - ET RBN Known Russian Business Network IP UDP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407370 - ET RBN Known Russian Business Network IP TCP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407371 - ET RBN Known Russian Business Network IP UDP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407372 - ET RBN Known Russian Business Network IP TCP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407373 - ET RBN Known Russian Business Network IP UDP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407374 - ET RBN Known Russian Business Network IP TCP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407375 - ET RBN Known Russian Business Network IP UDP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407376 - ET RBN Known Russian Business Network IP TCP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407377 - ET RBN Known Russian Business Network IP UDP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407378 - ET RBN Known Russian Business Network IP TCP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407379 - ET RBN Known Russian Business Network IP UDP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407380 - ET RBN Known Russian Business Network IP TCP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407381 - ET RBN Known Russian Business Network IP UDP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407382 - ET RBN Known Russian Business Network IP TCP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407383 - ET RBN Known Russian Business Network IP UDP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407384 - ET RBN Known Russian Business Network IP TCP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407385 - ET RBN Known Russian Business Network IP UDP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407386 - ET RBN Known Russian Business Network IP TCP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407387 - ET RBN Known Russian Business Network IP UDP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407388 - ET RBN Known Russian Business Network IP TCP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407389 - ET RBN Known Russian Business Network IP UDP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407390 - ET RBN Known Russian Business Network IP TCP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407391 - ET RBN Known Russian Business Network IP UDP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407392 - ET RBN Known Russian Business Network IP TCP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407393 - ET RBN Known Russian Business Network IP UDP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407394 - ET RBN Known Russian Business Network IP TCP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407395 - ET RBN Known Russian Business Network IP UDP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407396 - ET RBN Known Russian Business Network IP TCP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407397 - ET RBN Known Russian Business Network IP UDP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407398 - ET RBN Known Russian Business Network IP TCP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407399 - ET RBN Known Russian Business Network IP UDP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407400 - ET RBN Known Russian Business Network IP TCP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407401 - ET RBN Known Russian Business Network IP UDP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407402 - ET RBN Known Russian Business Network IP TCP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407403 - ET RBN Known Russian Business Network IP UDP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407404 - ET RBN Known Russian Business Network IP TCP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407405 - ET RBN Known Russian Business Network IP UDP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407406 - ET RBN Known Russian Business Network IP TCP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407407 - ET RBN Known Russian Business Network IP UDP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407408 - ET RBN Known Russian Business Network IP TCP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407409 - ET RBN Known Russian Business Network IP UDP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407410 - ET RBN Known Russian Business Network IP TCP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407411 - ET RBN Known Russian Business Network IP UDP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407412 - ET RBN Known Russian Business Network IP TCP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407413 - ET RBN Known Russian Business Network IP UDP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407414 - ET RBN Known Russian Business Network IP TCP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407415 - ET RBN Known Russian Business Network IP UDP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407416 - ET RBN Known Russian Business Network IP TCP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407417 - ET RBN Known Russian Business Network IP UDP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407418 - ET RBN Known Russian Business Network IP TCP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407419 - ET RBN Known Russian Business Network IP UDP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407420 - ET RBN Known Russian Business Network IP TCP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407421 - ET RBN Known Russian Business Network IP UDP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407422 - ET RBN Known Russian Business Network IP TCP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407423 - ET RBN Known Russian Business Network IP UDP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407424 - ET RBN Known Russian Business Network IP TCP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407425 - ET RBN Known Russian Business Network IP UDP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407426 - ET RBN Known Russian Business Network IP TCP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407427 - ET RBN Known Russian Business Network IP UDP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407428 - ET RBN Known Russian Business Network IP TCP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407429 - ET RBN Known Russian Business Network IP UDP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407430 - ET RBN Known Russian Business Network IP TCP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407431 - ET RBN Known Russian Business Network IP UDP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407432 - ET RBN Known Russian Business Network IP TCP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407433 - ET RBN Known Russian Business Network IP UDP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407434 - ET RBN Known Russian Business Network IP TCP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407435 - ET RBN Known Russian Business Network IP UDP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407436 - ET RBN Known Russian Business Network IP TCP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407437 - ET RBN Known Russian Business Network IP UDP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407438 - ET RBN Known Russian Business Network IP TCP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407439 - ET RBN Known Russian Business Network IP UDP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407440 - ET RBN Known Russian Business Network IP TCP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407441 - ET RBN Known Russian Business Network IP UDP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407442 - ET RBN Known Russian Business Network IP TCP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407443 - ET RBN Known Russian Business Network IP UDP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407444 - ET RBN Known Russian Business Network IP TCP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407445 - ET RBN Known Russian Business Network IP UDP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407446 - ET RBN Known Russian Business Network IP TCP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407447 - ET RBN Known Russian Business Network IP UDP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407448 - ET RBN Known Russian Business Network IP TCP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407449 - ET RBN Known Russian Business Network IP UDP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407450 - ET RBN Known Russian Business Network IP TCP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407451 - ET RBN Known Russian Business Network IP UDP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407452 - ET RBN Known Russian Business Network IP TCP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407453 - ET RBN Known Russian Business Network IP UDP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407454 - ET RBN Known Russian Business Network IP TCP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407455 - ET RBN Known Russian Business Network IP UDP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407456 - ET RBN Known Russian Business Network IP TCP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407457 - ET RBN Known Russian Business Network IP UDP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407458 - ET RBN Known Russian Business Network IP TCP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407459 - ET RBN Known Russian Business Network IP UDP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407460 - ET RBN Known Russian Business Network IP TCP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407461 - ET RBN Known Russian Business Network IP UDP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407462 - ET RBN Known Russian Business Network IP TCP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407463 - ET RBN Known Russian Business Network IP UDP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407464 - ET RBN Known Russian Business Network IP TCP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407465 - ET RBN Known Russian Business Network IP UDP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407466 - ET RBN Known Russian Business Network IP TCP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407467 - ET RBN Known Russian Business Network IP UDP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407468 - ET RBN Known Russian Business Network IP TCP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407469 - ET RBN Known Russian Business Network IP UDP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407470 - ET RBN Known Russian Business Network IP TCP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407471 - ET RBN Known Russian Business Network IP UDP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407472 - ET RBN Known Russian Business Network IP TCP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407473 - ET RBN Known Russian Business Network IP UDP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407474 - ET RBN Known Russian Business Network IP TCP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407475 - ET RBN Known Russian Business Network IP UDP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407476 - ET RBN Known Russian Business Network IP TCP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407477 - ET RBN Known Russian Business Network IP UDP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407478 - ET RBN Known Russian Business Network IP TCP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407479 - ET RBN Known Russian Business Network IP UDP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407480 - ET RBN Known Russian Business Network IP TCP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407481 - ET RBN Known Russian Business Network IP UDP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407482 - ET RBN Known Russian Business Network IP TCP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407483 - ET RBN Known Russian Business Network IP UDP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407484 - ET RBN Known Russian Business Network IP TCP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407485 - ET RBN Known Russian Business Network IP UDP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407486 - ET RBN Known Russian Business Network IP TCP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407487 - ET RBN Known Russian Business Network IP UDP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407488 - ET RBN Known Russian Business Network IP TCP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407489 - ET RBN Known Russian Business Network IP UDP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407490 - ET RBN Known Russian Business Network IP TCP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407491 - ET RBN Known Russian Business Network IP UDP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407492 - ET RBN Known Russian Business Network IP TCP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407493 - ET RBN Known Russian Business Network IP UDP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407494 - ET RBN Known Russian Business Network IP TCP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407495 - ET RBN Known Russian Business Network IP UDP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407496 - ET RBN Known Russian Business Network IP TCP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407497 - ET RBN Known Russian Business Network IP UDP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407498 - ET RBN Known Russian Business Network IP TCP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407499 - ET RBN Known Russian Business Network IP UDP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407500 - ET RBN Known Russian Business Network IP TCP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407501 - ET RBN Known Russian Business Network IP UDP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407502 - ET RBN Known Russian Business Network IP TCP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407503 - ET RBN Known Russian Business Network IP UDP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407504 - ET RBN Known Russian Business Network IP TCP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407505 - ET RBN Known Russian Business Network IP UDP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407506 - ET RBN Known Russian Business Network IP TCP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407507 - ET RBN Known Russian Business Network IP UDP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407508 - ET RBN Known Russian Business Network IP TCP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407509 - ET RBN Known Russian Business Network IP UDP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407510 - ET RBN Known Russian Business Network IP TCP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407511 - ET RBN Known Russian Business Network IP UDP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407512 - ET RBN Known Russian Business Network IP TCP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407513 - ET RBN Known Russian Business Network IP UDP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407514 - ET RBN Known Russian Business Network IP TCP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407515 - ET RBN Known Russian Business Network IP UDP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407516 - ET RBN Known Russian Business Network IP TCP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407517 - ET RBN Known Russian Business Network IP UDP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407518 - ET RBN Known Russian Business Network IP TCP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407519 - ET RBN Known Russian Business Network IP UDP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407520 - ET RBN Known Russian Business Network IP TCP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407521 - ET RBN Known Russian Business Network IP UDP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407522 - ET RBN Known Russian Business Network IP TCP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407523 - ET RBN Known Russian Business Network IP UDP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407524 - ET RBN Known Russian Business Network IP TCP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407525 - ET RBN Known Russian Business Network IP UDP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407526 - ET RBN Known Russian Business Network IP TCP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407527 - ET RBN Known Russian Business Network IP UDP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407528 - ET RBN Known Russian Business Network IP TCP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407529 - ET RBN Known Russian Business Network IP UDP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407530 - ET RBN Known Russian Business Network IP TCP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407531 - ET RBN Known Russian Business Network IP UDP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407532 - ET RBN Known Russian Business Network IP TCP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407533 - ET RBN Known Russian Business Network IP UDP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407534 - ET RBN Known Russian Business Network IP TCP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407535 - ET RBN Known Russian Business Network IP UDP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407536 - ET RBN Known Russian Business Network IP TCP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407537 - ET RBN Known Russian Business Network IP UDP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407538 - ET RBN Known Russian Business Network IP TCP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407539 - ET RBN Known Russian Business Network IP UDP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407540 - ET RBN Known Russian Business Network IP TCP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407541 - ET RBN Known Russian Business Network IP UDP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407542 - ET RBN Known Russian Business Network IP TCP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407543 - ET RBN Known Russian Business Network IP UDP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407544 - ET RBN Known Russian Business Network IP TCP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407545 - ET RBN Known Russian Business Network IP UDP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407546 - ET RBN Known Russian Business Network IP TCP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407547 - ET RBN Known Russian Business Network IP UDP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407548 - ET RBN Known Russian Business Network IP TCP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407549 - ET RBN Known Russian Business Network IP UDP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407550 - ET RBN Known Russian Business Network IP TCP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407551 - ET RBN Known Russian Business Network IP UDP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407552 - ET RBN Known Russian Business Network IP TCP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407553 - ET RBN Known Russian Business Network IP UDP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407554 - ET RBN Known Russian Business Network IP TCP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407555 - ET RBN Known Russian Business Network IP UDP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407556 - ET RBN Known Russian Business Network IP TCP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407557 - ET RBN Known Russian Business Network IP UDP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407558 - ET RBN Known Russian Business Network IP TCP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407559 - ET RBN Known Russian Business Network IP UDP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407560 - ET RBN Known Russian Business Network IP TCP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407561 - ET RBN Known Russian Business Network IP UDP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407562 - ET RBN Known Russian Business Network IP TCP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407563 - ET RBN Known Russian Business Network IP UDP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407564 - ET RBN Known Russian Business Network IP TCP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407565 - ET RBN Known Russian Business Network IP UDP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407566 - ET RBN Known Russian Business Network IP TCP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407567 - ET RBN Known Russian Business Network IP UDP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407568 - ET RBN Known Russian Business Network IP TCP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407569 - ET RBN Known Russian Business Network IP UDP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407570 - ET RBN Known Russian Business Network IP TCP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407571 - ET RBN Known Russian Business Network IP UDP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407572 - ET RBN Known Russian Business Network IP TCP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407573 - ET RBN Known Russian Business Network IP UDP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407574 - ET RBN Known Russian Business Network IP TCP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407575 - ET RBN Known Russian Business Network IP UDP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407576 - ET RBN Known Russian Business Network IP TCP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407577 - ET RBN Known Russian Business Network IP UDP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407578 - ET RBN Known Russian Business Network IP TCP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407579 - ET RBN Known Russian Business Network IP UDP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407580 - ET RBN Known Russian Business Network IP TCP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407581 - ET RBN Known Russian Business Network IP UDP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407582 - ET RBN Known Russian Business Network IP TCP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407583 - ET RBN Known Russian Business Network IP UDP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407584 - ET RBN Known Russian Business Network IP TCP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407585 - ET RBN Known Russian Business Network IP UDP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407586 - ET RBN Known Russian Business Network IP TCP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407587 - ET RBN Known Russian Business Network IP UDP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407588 - ET RBN Known Russian Business Network IP TCP - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407589 - ET RBN Known Russian Business Network IP UDP - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407590 - ET RBN Known Russian Business Network IP TCP - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407591 - ET RBN Known Russian Business Network IP UDP - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407592 - ET RBN Known Russian Business Network IP TCP - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407593 - ET RBN Known Russian Business Network IP UDP - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407594 - ET RBN Known Russian Business Network IP TCP - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407595 - ET RBN Known Russian Business Network IP UDP - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407596 - ET RBN Known Russian Business Network IP TCP - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407597 - ET RBN Known Russian Business Network IP UDP - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407598 - ET RBN Known Russian Business Network IP TCP - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407599 - ET RBN Known Russian Business Network IP UDP - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407600 - ET RBN Known Russian Business Network IP TCP - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407601 - ET RBN Known Russian Business Network IP UDP - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407602 - ET RBN Known Russian Business Network IP TCP - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407603 - ET RBN Known Russian Business Network IP UDP - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407604 - ET RBN Known Russian Business Network IP TCP - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407605 - ET RBN Known Russian Business Network IP UDP - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407606 - ET RBN Known Russian Business Network IP TCP - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407607 - ET RBN Known Russian Business Network IP UDP - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407608 - ET RBN Known Russian Business Network IP TCP - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407609 - ET RBN Known Russian Business Network IP UDP - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407610 - ET RBN Known Russian Business Network IP TCP - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407611 - ET RBN Known Russian Business Network IP UDP - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407612 - ET RBN Known Russian Business Network IP TCP - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407613 - ET RBN Known Russian Business Network IP UDP - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407614 - ET RBN Known Russian Business Network IP TCP - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407615 - ET RBN Known Russian Business Network IP UDP - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407616 - ET RBN Known Russian Business Network IP TCP - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407617 - ET RBN Known Russian Business Network IP UDP - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407618 - ET RBN Known Russian Business Network IP TCP - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407619 - ET RBN Known Russian Business Network IP UDP - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407620 - ET RBN Known Russian Business Network IP TCP - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407621 - ET RBN Known Russian Business Network IP UDP - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407622 - ET RBN Known Russian Business Network IP TCP - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407623 - ET RBN Known Russian Business Network IP UDP - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407624 - ET RBN Known Russian Business Network IP TCP - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407625 - ET RBN Known Russian Business Network IP UDP - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407626 - ET RBN Known Russian Business Network IP TCP - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407627 - ET RBN Known Russian Business Network IP UDP - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407628 - ET RBN Known Russian Business Network IP TCP - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407629 - ET RBN Known Russian Business Network IP UDP - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407630 - ET RBN Known Russian Business Network IP TCP - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407631 - ET RBN Known Russian Business Network IP UDP - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407632 - ET RBN Known Russian Business Network IP TCP - BLOCKING (317) (emerging-rbn-BLOCK.rules) 2407633 - ET RBN Known Russian Business Network IP UDP - BLOCKING (317) (emerging-rbn-BLOCK.rules) 2407634 - ET RBN Known Russian Business Network IP TCP - BLOCKING (318) (emerging-rbn-BLOCK.rules) 2407635 - ET RBN Known Russian Business Network IP UDP - BLOCKING (318) (emerging-rbn-BLOCK.rules) 2407636 - ET RBN Known Russian Business Network IP TCP - BLOCKING (319) (emerging-rbn-BLOCK.rules) 2407637 - ET RBN Known Russian Business Network IP UDP - BLOCKING (319) (emerging-rbn-BLOCK.rules) 2407638 - ET RBN Known Russian Business Network IP TCP - BLOCKING (320) (emerging-rbn-BLOCK.rules) 2407639 - ET RBN Known Russian Business Network IP UDP - BLOCKING (320) (emerging-rbn-BLOCK.rules) 2407640 - ET RBN Known Russian Business Network IP TCP - BLOCKING (321) (emerging-rbn-BLOCK.rules) 2407641 - ET RBN Known Russian Business Network IP UDP - BLOCKING (321) (emerging-rbn-BLOCK.rules) 2407642 - ET RBN Known Russian Business Network IP TCP - BLOCKING (322) (emerging-rbn-BLOCK.rules) 2407643 - ET RBN Known Russian Business Network IP UDP - BLOCKING (322) (emerging-rbn-BLOCK.rules) 2407644 - ET RBN Known Russian Business Network IP TCP - BLOCKING (323) (emerging-rbn-BLOCK.rules) 2407645 - ET RBN Known Russian Business Network IP UDP - BLOCKING (323) (emerging-rbn-BLOCK.rules) 2407646 - ET RBN Known Russian Business Network IP TCP - BLOCKING (324) (emerging-rbn-BLOCK.rules) 2407647 - ET RBN Known Russian Business Network IP UDP - BLOCKING (324) (emerging-rbn-BLOCK.rules) 2407648 - ET RBN Known Russian Business Network IP TCP - BLOCKING (325) (emerging-rbn-BLOCK.rules) 2407649 - ET RBN Known Russian Business Network IP UDP - BLOCKING (325) (emerging-rbn-BLOCK.rules) 2407650 - ET RBN Known Russian Business Network IP TCP - BLOCKING (326) (emerging-rbn-BLOCK.rules) 2407651 - ET RBN Known Russian Business Network IP UDP - BLOCKING (326) (emerging-rbn-BLOCK.rules) 2407652 - ET RBN Known Russian Business Network IP TCP - BLOCKING (327) (emerging-rbn-BLOCK.rules) 2407653 - ET RBN Known Russian Business Network IP UDP - BLOCKING (327) (emerging-rbn-BLOCK.rules) 2407654 - ET RBN Known Russian Business Network IP TCP - BLOCKING (328) (emerging-rbn-BLOCK.rules) 2407655 - ET RBN Known Russian Business Network IP UDP - BLOCKING (328) (emerging-rbn-BLOCK.rules) 2407656 - ET RBN Known Russian Business Network IP TCP - BLOCKING (329) (emerging-rbn-BLOCK.rules) 2407657 - ET RBN Known Russian Business Network IP UDP - BLOCKING (329) (emerging-rbn-BLOCK.rules) 2407658 - ET RBN Known Russian Business Network IP TCP - BLOCKING (330) (emerging-rbn-BLOCK.rules) 2407659 - ET RBN Known Russian Business Network IP UDP - BLOCKING (330) (emerging-rbn-BLOCK.rules) 2407660 - ET RBN Known Russian Business Network IP TCP - BLOCKING (331) (emerging-rbn-BLOCK.rules) 2407661 - ET RBN Known Russian Business Network IP UDP - BLOCKING (331) (emerging-rbn-BLOCK.rules) 2407662 - ET RBN Known Russian Business Network IP TCP - BLOCKING (332) (emerging-rbn-BLOCK.rules) 2407663 - ET RBN Known Russian Business Network IP UDP - BLOCKING (332) (emerging-rbn-BLOCK.rules) 2407664 - ET RBN Known Russian Business Network IP TCP - BLOCKING (333) (emerging-rbn-BLOCK.rules) 2407665 - ET RBN Known Russian Business Network IP UDP - BLOCKING (333) (emerging-rbn-BLOCK.rules) 2407666 - ET RBN Known Russian Business Network IP TCP - BLOCKING (334) (emerging-rbn-BLOCK.rules) 2407667 - ET RBN Known Russian Business Network IP UDP - BLOCKING (334) (emerging-rbn-BLOCK.rules) 2407668 - ET RBN Known Russian Business Network IP TCP - BLOCKING (335) (emerging-rbn-BLOCK.rules) 2407669 - ET RBN Known Russian Business Network IP UDP - BLOCKING (335) (emerging-rbn-BLOCK.rules) 2407670 - ET RBN Known Russian Business Network IP TCP - BLOCKING (336) (emerging-rbn-BLOCK.rules) 2407671 - ET RBN Known Russian Business Network IP UDP - BLOCKING (336) (emerging-rbn-BLOCK.rules) 2407672 - ET RBN Known Russian Business Network IP TCP - BLOCKING (337) (emerging-rbn-BLOCK.rules) 2407673 - ET RBN Known Russian Business Network IP UDP - BLOCKING (337) (emerging-rbn-BLOCK.rules) 2407674 - ET RBN Known Russian Business Network IP TCP - BLOCKING (338) (emerging-rbn-BLOCK.rules) 2407675 - ET RBN Known Russian Business Network IP UDP - BLOCKING (338) (emerging-rbn-BLOCK.rules) 2407676 - ET RBN Known Russian Business Network IP TCP - BLOCKING (339) (emerging-rbn-BLOCK.rules) 2407677 - ET RBN Known Russian Business Network IP UDP - BLOCKING (339) (emerging-rbn-BLOCK.rules) 2407678 - ET RBN Known Russian Business Network IP TCP - BLOCKING (340) (emerging-rbn-BLOCK.rules) 2407679 - ET RBN Known Russian Business Network IP UDP - BLOCKING (340) (emerging-rbn-BLOCK.rules) 2407680 - ET RBN Known Russian Business Network IP TCP - BLOCKING (341) (emerging-rbn-BLOCK.rules) 2407681 - ET RBN Known Russian Business Network IP UDP - BLOCKING (341) (emerging-rbn-BLOCK.rules) 2407682 - ET RBN Known Russian Business Network IP TCP - BLOCKING (342) (emerging-rbn-BLOCK.rules) 2407683 - ET RBN Known Russian Business Network IP UDP - BLOCKING (342) (emerging-rbn-BLOCK.rules) 2407684 - ET RBN Known Russian Business Network IP TCP - BLOCKING (343) (emerging-rbn-BLOCK.rules) 2407685 - ET RBN Known Russian Business Network IP UDP - BLOCKING (343) (emerging-rbn-BLOCK.rules) 2407686 - ET RBN Known Russian Business Network IP TCP - BLOCKING (344) (emerging-rbn-BLOCK.rules) 2407687 - ET RBN Known Russian Business Network IP UDP - BLOCKING (344) (emerging-rbn-BLOCK.rules) 2407688 - ET RBN Known Russian Business Network IP TCP - BLOCKING (345) (emerging-rbn-BLOCK.rules) 2407689 - ET RBN Known Russian Business Network IP UDP - BLOCKING (345) (emerging-rbn-BLOCK.rules) 2407690 - ET RBN Known Russian Business Network IP TCP - BLOCKING (346) (emerging-rbn-BLOCK.rules) 2407691 - ET RBN Known Russian Business Network IP UDP - BLOCKING (346) (emerging-rbn-BLOCK.rules) 2407692 - ET RBN Known Russian Business Network IP TCP - BLOCKING (347) (emerging-rbn-BLOCK.rules) 2407693 - ET RBN Known Russian Business Network IP UDP - BLOCKING (347) (emerging-rbn-BLOCK.rules) 2407694 - ET RBN Known Russian Business Network IP TCP - BLOCKING (348) (emerging-rbn-BLOCK.rules) 2407695 - ET RBN Known Russian Business Network IP UDP - BLOCKING (348) (emerging-rbn-BLOCK.rules) 2407696 - ET RBN Known Russian Business Network IP TCP - BLOCKING (349) (emerging-rbn-BLOCK.rules) 2407697 - ET RBN Known Russian Business Network IP UDP - BLOCKING (349) (emerging-rbn-BLOCK.rules) 2407698 - ET RBN Known Russian Business Network IP TCP - BLOCKING (350) (emerging-rbn-BLOCK.rules) 2407699 - ET RBN Known Russian Business Network IP UDP - BLOCKING (350) (emerging-rbn-BLOCK.rules) 2407700 - ET RBN Known Russian Business Network IP TCP - BLOCKING (351) (emerging-rbn-BLOCK.rules) 2407701 - ET RBN Known Russian Business Network IP UDP - BLOCKING (351) (emerging-rbn-BLOCK.rules) 2407702 - ET RBN Known Russian Business Network IP TCP - BLOCKING (352) (emerging-rbn-BLOCK.rules) 2407703 - ET RBN Known Russian Business Network IP UDP - BLOCKING (352) (emerging-rbn-BLOCK.rules) 2407704 - ET RBN Known Russian Business Network IP TCP - BLOCKING (353) (emerging-rbn-BLOCK.rules) 2407705 - ET RBN Known Russian Business Network IP UDP - BLOCKING (353) (emerging-rbn-BLOCK.rules) 2407706 - ET RBN Known Russian Business Network IP TCP - BLOCKING (354) (emerging-rbn-BLOCK.rules) 2407707 - ET RBN Known Russian Business Network IP UDP - BLOCKING (354) (emerging-rbn-BLOCK.rules) 2407708 - ET RBN Known Russian Business Network IP TCP - BLOCKING (355) (emerging-rbn-BLOCK.rules) 2407709 - ET RBN Known Russian Business Network IP UDP - BLOCKING (355) (emerging-rbn-BLOCK.rules) 2407710 - ET RBN Known Russian Business Network IP TCP - BLOCKING (356) (emerging-rbn-BLOCK.rules) 2407711 - ET RBN Known Russian Business Network IP UDP - BLOCKING (356) (emerging-rbn-BLOCK.rules) 2407712 - ET RBN Known Russian Business Network IP TCP - BLOCKING (357) (emerging-rbn-BLOCK.rules) 2407713 - ET RBN Known Russian Business Network IP UDP - BLOCKING (357) (emerging-rbn-BLOCK.rules) 2407714 - ET RBN Known Russian Business Network IP TCP - BLOCKING (358) (emerging-rbn-BLOCK.rules) 2407715 - ET RBN Known Russian Business Network IP UDP - BLOCKING (358) (emerging-rbn-BLOCK.rules) 2407716 - ET RBN Known Russian Business Network IP TCP - BLOCKING (359) (emerging-rbn-BLOCK.rules) 2407717 - ET RBN Known Russian Business Network IP UDP - BLOCKING (359) (emerging-rbn-BLOCK.rules) 2407718 - ET RBN Known Russian Business Network IP TCP - BLOCKING (360) (emerging-rbn-BLOCK.rules) 2407719 - ET RBN Known Russian Business Network IP UDP - BLOCKING (360) (emerging-rbn-BLOCK.rules) 2407720 - ET RBN Known Russian Business Network IP TCP - BLOCKING (361) (emerging-rbn-BLOCK.rules) 2407721 - ET RBN Known Russian Business Network IP UDP - BLOCKING (361) (emerging-rbn-BLOCK.rules) 2407722 - ET RBN Known Russian Business Network IP TCP - BLOCKING (362) (emerging-rbn-BLOCK.rules) 2407723 - ET RBN Known Russian Business Network IP UDP - BLOCKING (362) (emerging-rbn-BLOCK.rules) 2407724 - ET RBN Known Russian Business Network IP TCP - BLOCKING (363) (emerging-rbn-BLOCK.rules) 2407725 - ET RBN Known Russian Business Network IP UDP - BLOCKING (363) (emerging-rbn-BLOCK.rules) 2407726 - ET RBN Known Russian Business Network IP TCP - BLOCKING (364) (emerging-rbn-BLOCK.rules) 2407727 - ET RBN Known Russian Business Network IP UDP - BLOCKING (364) (emerging-rbn-BLOCK.rules) 2407728 - ET RBN Known Russian Business Network IP TCP - BLOCKING (365) (emerging-rbn-BLOCK.rules) 2407729 - ET RBN Known Russian Business Network IP UDP - BLOCKING (365) (emerging-rbn-BLOCK.rules) 2407730 - ET RBN Known Russian Business Network IP TCP - BLOCKING (366) (emerging-rbn-BLOCK.rules) 2407731 - ET RBN Known Russian Business Network IP UDP - BLOCKING (366) (emerging-rbn-BLOCK.rules) 2407732 - ET RBN Known Russian Business Network IP TCP - BLOCKING (367) (emerging-rbn-BLOCK.rules) 2407733 - ET RBN Known Russian Business Network IP UDP - BLOCKING (367) (emerging-rbn-BLOCK.rules) 2407734 - ET RBN Known Russian Business Network IP TCP - BLOCKING (368) (emerging-rbn-BLOCK.rules) 2407735 - ET RBN Known Russian Business Network IP UDP - BLOCKING (368) (emerging-rbn-BLOCK.rules) 2407736 - ET RBN Known Russian Business Network IP TCP - BLOCKING (369) (emerging-rbn-BLOCK.rules) 2407737 - ET RBN Known Russian Business Network IP UDP - BLOCKING (369) (emerging-rbn-BLOCK.rules) 2407738 - ET RBN Known Russian Business Network IP TCP - BLOCKING (370) (emerging-rbn-BLOCK.rules) 2407739 - ET RBN Known Russian Business Network IP UDP - BLOCKING (370) (emerging-rbn-BLOCK.rules) 2407740 - ET RBN Known Russian Business Network IP TCP - BLOCKING (371) (emerging-rbn-BLOCK.rules) 2407741 - ET RBN Known Russian Business Network IP UDP - BLOCKING (371) (emerging-rbn-BLOCK.rules) 2407742 - ET RBN Known Russian Business Network IP TCP - BLOCKING (372) (emerging-rbn-BLOCK.rules) 2407743 - ET RBN Known Russian Business Network IP UDP - BLOCKING (372) (emerging-rbn-BLOCK.rules) 2407744 - ET RBN Known Russian Business Network IP TCP - BLOCKING (373) (emerging-rbn-BLOCK.rules) 2407745 - ET RBN Known Russian Business Network IP UDP - BLOCKING (373) (emerging-rbn-BLOCK.rules) 2407746 - ET RBN Known Russian Business Network IP TCP - BLOCKING (374) (emerging-rbn-BLOCK.rules) 2407747 - ET RBN Known Russian Business Network IP UDP - BLOCKING (374) (emerging-rbn-BLOCK.rules) 2407748 - ET RBN Known Russian Business Network IP TCP - BLOCKING (375) (emerging-rbn-BLOCK.rules) 2407749 - ET RBN Known Russian Business Network IP UDP - BLOCKING (375) (emerging-rbn-BLOCK.rules) 2407750 - ET RBN Known Russian Business Network IP TCP - BLOCKING (376) (emerging-rbn-BLOCK.rules) 2407751 - ET RBN Known Russian Business Network IP UDP - BLOCKING (376) (emerging-rbn-BLOCK.rules) 2407752 - ET RBN Known Russian Business Network IP TCP - BLOCKING (377) (emerging-rbn-BLOCK.rules) 2407753 - ET RBN Known Russian Business Network IP UDP - BLOCKING (377) (emerging-rbn-BLOCK.rules) 2407754 - ET RBN Known Russian Business Network IP TCP - BLOCKING (378) (emerging-rbn-BLOCK.rules) 2407755 - ET RBN Known Russian Business Network IP UDP - BLOCKING (378) (emerging-rbn-BLOCK.rules) 2407756 - ET RBN Known Russian Business Network IP TCP - BLOCKING (379) (emerging-rbn-BLOCK.rules) 2407757 - ET RBN Known Russian Business Network IP UDP - BLOCKING (379) (emerging-rbn-BLOCK.rules) 2407758 - ET RBN Known Russian Business Network IP TCP - BLOCKING (380) (emerging-rbn-BLOCK.rules) 2407759 - ET RBN Known Russian Business Network IP UDP - BLOCKING (380) (emerging-rbn-BLOCK.rules) 2407760 - ET RBN Known Russian Business Network IP TCP - BLOCKING (381) (emerging-rbn-BLOCK.rules) 2407761 - ET RBN Known Russian Business Network IP UDP - BLOCKING (381) (emerging-rbn-BLOCK.rules) 2407762 - ET RBN Known Russian Business Network IP TCP - BLOCKING (382) (emerging-rbn-BLOCK.rules) 2407763 - ET RBN Known Russian Business Network IP UDP - BLOCKING (382) (emerging-rbn-BLOCK.rules) 2407764 - ET RBN Known Russian Business Network IP TCP - BLOCKING (383) (emerging-rbn-BLOCK.rules) 2407765 - ET RBN Known Russian Business Network IP UDP - BLOCKING (383) (emerging-rbn-BLOCK.rules) 2407766 - ET RBN Known Russian Business Network IP TCP - BLOCKING (384) (emerging-rbn-BLOCK.rules) 2407767 - ET RBN Known Russian Business Network IP UDP - BLOCKING (384) (emerging-rbn-BLOCK.rules) 2407768 - ET RBN Known Russian Business Network IP TCP - BLOCKING (385) (emerging-rbn-BLOCK.rules) 2407769 - ET RBN Known Russian Business Network IP UDP - BLOCKING (385) (emerging-rbn-BLOCK.rules) 2407770 - ET RBN Known Russian Business Network IP TCP - BLOCKING (386) (emerging-rbn-BLOCK.rules) 2407771 - ET RBN Known Russian Business Network IP UDP - BLOCKING (386) (emerging-rbn-BLOCK.rules) 2407772 - ET RBN Known Russian Business Network IP TCP - BLOCKING (387) (emerging-rbn-BLOCK.rules) 2407773 - ET RBN Known Russian Business Network IP UDP - BLOCKING (387) (emerging-rbn-BLOCK.rules) 2407774 - ET RBN Known Russian Business Network IP TCP - BLOCKING (388) (emerging-rbn-BLOCK.rules) 2407775 - ET RBN Known Russian Business Network IP UDP - BLOCKING (388) (emerging-rbn-BLOCK.rules) 2407776 - ET RBN Known Russian Business Network IP TCP - BLOCKING (389) (emerging-rbn-BLOCK.rules) 2407777 - ET RBN Known Russian Business Network IP UDP - BLOCKING (389) (emerging-rbn-BLOCK.rules) 2407778 - ET RBN Known Russian Business Network IP TCP - BLOCKING (390) (emerging-rbn-BLOCK.rules) 2407779 - ET RBN Known Russian Business Network IP UDP - BLOCKING (390) (emerging-rbn-BLOCK.rules) 2407780 - ET RBN Known Russian Business Network IP TCP - BLOCKING (391) (emerging-rbn-BLOCK.rules) 2407781 - ET RBN Known Russian Business Network IP UDP - BLOCKING (391) (emerging-rbn-BLOCK.rules) 2407782 - ET RBN Known Russian Business Network IP TCP - BLOCKING (392) (emerging-rbn-BLOCK.rules) 2407783 - ET RBN Known Russian Business Network IP UDP - BLOCKING (392) (emerging-rbn-BLOCK.rules) 2407784 - ET RBN Known Russian Business Network IP TCP - BLOCKING (393) (emerging-rbn-BLOCK.rules) 2407785 - ET RBN Known Russian Business Network IP UDP - BLOCKING (393) (emerging-rbn-BLOCK.rules) 2407786 - ET RBN Known Russian Business Network IP TCP - BLOCKING (394) (emerging-rbn-BLOCK.rules) 2407787 - ET RBN Known Russian Business Network IP UDP - BLOCKING (394) (emerging-rbn-BLOCK.rules) 2407788 - ET RBN Known Russian Business Network IP TCP - BLOCKING (395) (emerging-rbn-BLOCK.rules) 2407789 - ET RBN Known Russian Business Network IP UDP - BLOCKING (395) (emerging-rbn-BLOCK.rules) 2407790 - ET RBN Known Russian Business Network IP TCP - BLOCKING (396) (emerging-rbn-BLOCK.rules) 2407791 - ET RBN Known Russian Business Network IP UDP - BLOCKING (396) (emerging-rbn-BLOCK.rules) 2407792 - ET RBN Known Russian Business Network IP TCP - BLOCKING (397) (emerging-rbn-BLOCK.rules) 2407793 - ET RBN Known Russian Business Network IP UDP - BLOCKING (397) (emerging-rbn-BLOCK.rules) 2407794 - ET RBN Known Russian Business Network IP TCP - BLOCKING (398) (emerging-rbn-BLOCK.rules) 2407795 - ET RBN Known Russian Business Network IP UDP - BLOCKING (398) (emerging-rbn-BLOCK.rules) 2407796 - ET RBN Known Russian Business Network IP TCP - BLOCKING (399) (emerging-rbn-BLOCK.rules) 2407797 - ET RBN Known Russian Business Network IP UDP - BLOCKING (399) (emerging-rbn-BLOCK.rules) 2407798 - ET RBN Known Russian Business Network IP TCP - BLOCKING (400) (emerging-rbn-BLOCK.rules) 2407799 - ET RBN Known Russian Business Network IP UDP - BLOCKING (400) (emerging-rbn-BLOCK.rules) 2407800 - ET RBN Known Russian Business Network IP TCP - BLOCKING (401) (emerging-rbn-BLOCK.rules) 2407801 - ET RBN Known Russian Business Network IP UDP - BLOCKING (401) (emerging-rbn-BLOCK.rules) 2407802 - ET RBN Known Russian Business Network IP TCP - BLOCKING (402) (emerging-rbn-BLOCK.rules) 2407803 - ET RBN Known Russian Business Network IP UDP - BLOCKING (402) (emerging-rbn-BLOCK.rules) 2407804 - ET RBN Known Russian Business Network IP TCP - BLOCKING (403) (emerging-rbn-BLOCK.rules) 2407805 - ET RBN Known Russian Business Network IP UDP - BLOCKING (403) (emerging-rbn-BLOCK.rules) 2407806 - ET RBN Known Russian Business Network IP TCP - BLOCKING (404) (emerging-rbn-BLOCK.rules) 2407807 - ET RBN Known Russian Business Network IP UDP - BLOCKING (404) (emerging-rbn-BLOCK.rules) 2407808 - ET RBN Known Russian Business Network IP TCP - BLOCKING (405) (emerging-rbn-BLOCK.rules) 2407809 - ET RBN Known Russian Business Network IP UDP - BLOCKING (405) (emerging-rbn-BLOCK.rules) 2407810 - ET RBN Known Russian Business Network IP TCP - BLOCKING (406) (emerging-rbn-BLOCK.rules) 2407811 - ET RBN Known Russian Business Network IP UDP - BLOCKING (406) (emerging-rbn-BLOCK.rules) 2407812 - ET RBN Known Russian Business Network IP TCP - BLOCKING (407) (emerging-rbn-BLOCK.rules) 2407813 - ET RBN Known Russian Business Network IP UDP - BLOCKING (407) (emerging-rbn-BLOCK.rules) 2407814 - ET RBN Known Russian Business Network IP TCP - BLOCKING (408) (emerging-rbn-BLOCK.rules) 2407815 - ET RBN Known Russian Business Network IP UDP - BLOCKING (408) (emerging-rbn-BLOCK.rules) 2407816 - ET RBN Known Russian Business Network IP TCP - BLOCKING (409) (emerging-rbn-BLOCK.rules) 2407817 - ET RBN Known Russian Business Network IP UDP - BLOCKING (409) (emerging-rbn-BLOCK.rules) 2407818 - ET RBN Known Russian Business Network IP TCP - BLOCKING (410) (emerging-rbn-BLOCK.rules) 2407819 - ET RBN Known Russian Business Network IP UDP - BLOCKING (410) (emerging-rbn-BLOCK.rules) 2407820 - ET RBN Known Russian Business Network IP TCP - BLOCKING (411) (emerging-rbn-BLOCK.rules) 2407821 - ET RBN Known Russian Business Network IP UDP - BLOCKING (411) (emerging-rbn-BLOCK.rules) 2407822 - ET RBN Known Russian Business Network IP TCP - BLOCKING (412) (emerging-rbn-BLOCK.rules) 2407823 - ET RBN Known Russian Business Network IP UDP - BLOCKING (412) (emerging-rbn-BLOCK.rules) 2407824 - ET RBN Known Russian Business Network IP TCP - BLOCKING (413) (emerging-rbn-BLOCK.rules) 2407825 - ET RBN Known Russian Business Network IP UDP - BLOCKING (413) (emerging-rbn-BLOCK.rules) 2407826 - ET RBN Known Russian Business Network IP TCP - BLOCKING (414) (emerging-rbn-BLOCK.rules) 2407827 - ET RBN Known Russian Business Network IP UDP - BLOCKING (414) (emerging-rbn-BLOCK.rules) 2407828 - ET RBN Known Russian Business Network IP TCP - BLOCKING (415) (emerging-rbn-BLOCK.rules) 2407829 - ET RBN Known Russian Business Network IP UDP - BLOCKING (415) (emerging-rbn-BLOCK.rules) 2407830 - ET RBN Known Russian Business Network IP TCP - BLOCKING (416) (emerging-rbn-BLOCK.rules) 2407831 - ET RBN Known Russian Business Network IP UDP - BLOCKING (416) (emerging-rbn-BLOCK.rules) 2407832 - ET RBN Known Russian Business Network IP TCP - BLOCKING (417) (emerging-rbn-BLOCK.rules) 2407833 - ET RBN Known Russian Business Network IP UDP - BLOCKING (417) (emerging-rbn-BLOCK.rules) 2407834 - ET RBN Known Russian Business Network IP TCP - BLOCKING (418) (emerging-rbn-BLOCK.rules) 2407835 - ET RBN Known Russian Business Network IP UDP - BLOCKING (418) (emerging-rbn-BLOCK.rules) 2407836 - ET RBN Known Russian Business Network IP TCP - BLOCKING (419) (emerging-rbn-BLOCK.rules) 2407837 - ET RBN Known Russian Business Network IP UDP - BLOCKING (419) (emerging-rbn-BLOCK.rules) 2407838 - ET RBN Known Russian Business Network IP TCP - BLOCKING (420) (emerging-rbn-BLOCK.rules) 2407839 - ET RBN Known Russian Business Network IP UDP - BLOCKING (420) (emerging-rbn-BLOCK.rules) 2407840 - ET RBN Known Russian Business Network IP TCP - BLOCKING (421) (emerging-rbn-BLOCK.rules) 2407841 - ET RBN Known Russian Business Network IP UDP - BLOCKING (421) (emerging-rbn-BLOCK.rules) 2407842 - ET RBN Known Russian Business Network IP TCP - BLOCKING (422) (emerging-rbn-BLOCK.rules) 2407843 - ET RBN Known Russian Business Network IP UDP - BLOCKING (422) (emerging-rbn-BLOCK.rules) 2407844 - ET RBN Known Russian Business Network IP TCP - BLOCKING (423) (emerging-rbn-BLOCK.rules) 2407845 - ET RBN Known Russian Business Network IP UDP - BLOCKING (423) (emerging-rbn-BLOCK.rules) 2407846 - ET RBN Known Russian Business Network IP TCP - BLOCKING (424) (emerging-rbn-BLOCK.rules) 2407847 - ET RBN Known Russian Business Network IP UDP - BLOCKING (424) (emerging-rbn-BLOCK.rules) 2407848 - ET RBN Known Russian Business Network IP TCP - BLOCKING (425) (emerging-rbn-BLOCK.rules) 2407849 - ET RBN Known Russian Business Network IP UDP - BLOCKING (425) (emerging-rbn-BLOCK.rules) 2407850 - ET RBN Known Russian Business Network IP TCP - BLOCKING (426) (emerging-rbn-BLOCK.rules) 2407851 - ET RBN Known Russian Business Network IP UDP - BLOCKING (426) (emerging-rbn-BLOCK.rules) 2407852 - ET RBN Known Russian Business Network IP TCP - BLOCKING (427) (emerging-rbn-BLOCK.rules) 2407853 - ET RBN Known Russian Business Network IP UDP - BLOCKING (427) (emerging-rbn-BLOCK.rules) 2407854 - ET RBN Known Russian Business Network IP TCP - BLOCKING (428) (emerging-rbn-BLOCK.rules) 2407855 - ET RBN Known Russian Business Network IP UDP - BLOCKING (428) (emerging-rbn-BLOCK.rules) 2407856 - ET RBN Known Russian Business Network IP TCP - BLOCKING (429) (emerging-rbn-BLOCK.rules) 2407857 - ET RBN Known Russian Business Network IP UDP - BLOCKING (429) (emerging-rbn-BLOCK.rules) 2407858 - ET RBN Known Russian Business Network IP TCP - BLOCKING (430) (emerging-rbn-BLOCK.rules) 2407859 - ET RBN Known Russian Business Network IP UDP - BLOCKING (430) (emerging-rbn-BLOCK.rules) 2407860 - ET RBN Known Russian Business Network IP TCP - BLOCKING (431) (emerging-rbn-BLOCK.rules) 2407861 - ET RBN Known Russian Business Network IP UDP - BLOCKING (431) (emerging-rbn-BLOCK.rules) 2407862 - ET RBN Known Russian Business Network IP TCP - BLOCKING (432) (emerging-rbn-BLOCK.rules) 2407863 - ET RBN Known Russian Business Network IP UDP - BLOCKING (432) (emerging-rbn-BLOCK.rules) 2407864 - ET RBN Known Russian Business Network IP TCP - BLOCKING (433) (emerging-rbn-BLOCK.rules) 2407865 - ET RBN Known Russian Business Network IP UDP - BLOCKING (433) (emerging-rbn-BLOCK.rules) 2407866 - ET RBN Known Russian Business Network IP TCP - BLOCKING (434) (emerging-rbn-BLOCK.rules) 2407867 - ET RBN Known Russian Business Network IP UDP - BLOCKING (434) (emerging-rbn-BLOCK.rules) 2407868 - ET RBN Known Russian Business Network IP TCP - BLOCKING (435) (emerging-rbn-BLOCK.rules) 2407869 - ET RBN Known Russian Business Network IP UDP - BLOCKING (435) (emerging-rbn-BLOCK.rules) 2407870 - ET RBN Known Russian Business Network IP TCP - BLOCKING (436) (emerging-rbn-BLOCK.rules) 2407871 - ET RBN Known Russian Business Network IP UDP - BLOCKING (436) (emerging-rbn-BLOCK.rules) 2407872 - ET RBN Known Russian Business Network IP TCP - BLOCKING (437) (emerging-rbn-BLOCK.rules) 2407873 - ET RBN Known Russian Business Network IP UDP - BLOCKING (437) (emerging-rbn-BLOCK.rules) 2407874 - ET RBN Known Russian Business Network IP TCP - BLOCKING (438) (emerging-rbn-BLOCK.rules) 2407875 - ET RBN Known Russian Business Network IP UDP - BLOCKING (438) (emerging-rbn-BLOCK.rules) 2407876 - ET RBN Known Russian Business Network IP TCP - BLOCKING (439) (emerging-rbn-BLOCK.rules) 2407877 - ET RBN Known Russian Business Network IP UDP - BLOCKING (439) (emerging-rbn-BLOCK.rules) 2407878 - ET RBN Known Russian Business Network IP TCP - BLOCKING (440) (emerging-rbn-BLOCK.rules) 2407879 - ET RBN Known Russian Business Network IP UDP - BLOCKING (440) (emerging-rbn-BLOCK.rules) 2407880 - ET RBN Known Russian Business Network IP TCP - BLOCKING (441) (emerging-rbn-BLOCK.rules) 2407881 - ET RBN Known Russian Business Network IP UDP - BLOCKING (441) (emerging-rbn-BLOCK.rules) 2407882 - ET RBN Known Russian Business Network IP TCP - BLOCKING (442) (emerging-rbn-BLOCK.rules) 2407883 - ET RBN Known Russian Business Network IP UDP - BLOCKING (442) (emerging-rbn-BLOCK.rules) 2407884 - ET RBN Known Russian Business Network IP TCP - BLOCKING (443) (emerging-rbn-BLOCK.rules) 2407885 - ET RBN Known Russian Business Network IP UDP - BLOCKING (443) (emerging-rbn-BLOCK.rules) 2407886 - ET RBN Known Russian Business Network IP TCP - BLOCKING (444) (emerging-rbn-BLOCK.rules) 2407887 - ET RBN Known Russian Business Network IP UDP - BLOCKING (444) (emerging-rbn-BLOCK.rules) 2407888 - ET RBN Known Russian Business Network IP TCP - BLOCKING (445) (emerging-rbn-BLOCK.rules) 2407889 - ET RBN Known Russian Business Network IP UDP - BLOCKING (445) (emerging-rbn-BLOCK.rules) 2407890 - ET RBN Known Russian Business Network IP TCP - BLOCKING (446) (emerging-rbn-BLOCK.rules) 2407891 - ET RBN Known Russian Business Network IP UDP - BLOCKING (446) (emerging-rbn-BLOCK.rules) 2407892 - ET RBN Known Russian Business Network IP TCP - BLOCKING (447) (emerging-rbn-BLOCK.rules) 2407893 - ET RBN Known Russian Business Network IP UDP - BLOCKING (447) (emerging-rbn-BLOCK.rules) 2407894 - ET RBN Known Russian Business Network IP TCP - BLOCKING (448) (emerging-rbn-BLOCK.rules) 2407895 - ET RBN Known Russian Business Network IP UDP - BLOCKING (448) (emerging-rbn-BLOCK.rules) 2407896 - ET RBN Known Russian Business Network IP TCP - BLOCKING (449) (emerging-rbn-BLOCK.rules) 2407897 - ET RBN Known Russian Business Network IP UDP - BLOCKING (449) (emerging-rbn-BLOCK.rules) 2407898 - ET RBN Known Russian Business Network IP TCP - BLOCKING (450) (emerging-rbn-BLOCK.rules) 2407899 - ET RBN Known Russian Business Network IP UDP - BLOCKING (450) (emerging-rbn-BLOCK.rules) 2407900 - ET RBN Known Russian Business Network IP TCP - BLOCKING (451) (emerging-rbn-BLOCK.rules) 2407901 - ET RBN Known Russian Business Network IP UDP - BLOCKING (451) (emerging-rbn-BLOCK.rules) 2407902 - ET RBN Known Russian Business Network IP TCP - BLOCKING (452) (emerging-rbn-BLOCK.rules) 2407903 - ET RBN Known Russian Business Network IP UDP - BLOCKING (452) (emerging-rbn-BLOCK.rules) 2407904 - ET RBN Known Russian Business Network IP TCP - BLOCKING (453) (emerging-rbn-BLOCK.rules) 2407905 - ET RBN Known Russian Business Network IP UDP - BLOCKING (453) (emerging-rbn-BLOCK.rules) 2407906 - ET RBN Known Russian Business Network IP TCP - BLOCKING (454) (emerging-rbn-BLOCK.rules) 2407907 - ET RBN Known Russian Business Network IP UDP - BLOCKING (454) (emerging-rbn-BLOCK.rules) 2407908 - ET RBN Known Russian Business Network IP TCP - BLOCKING (455) (emerging-rbn-BLOCK.rules) 2407909 - ET RBN Known Russian Business Network IP UDP - BLOCKING (455) (emerging-rbn-BLOCK.rules) 2407910 - ET RBN Known Russian Business Network IP TCP - BLOCKING (456) (emerging-rbn-BLOCK.rules) 2407911 - ET RBN Known Russian Business Network IP UDP - BLOCKING (456) (emerging-rbn-BLOCK.rules) 2407912 - ET RBN Known Russian Business Network IP TCP - BLOCKING (457) (emerging-rbn-BLOCK.rules) 2407913 - ET RBN Known Russian Business Network IP UDP - BLOCKING (457) (emerging-rbn-BLOCK.rules) 2407914 - ET RBN Known Russian Business Network IP TCP - BLOCKING (458) (emerging-rbn-BLOCK.rules) 2407915 - ET RBN Known Russian Business Network IP UDP - BLOCKING (458) (emerging-rbn-BLOCK.rules) 2407916 - ET RBN Known Russian Business Network IP TCP - BLOCKING (459) (emerging-rbn-BLOCK.rules) 2407917 - ET RBN Known Russian Business Network IP UDP - BLOCKING (459) (emerging-rbn-BLOCK.rules) 2407918 - ET RBN Known Russian Business Network IP TCP - BLOCKING (460) (emerging-rbn-BLOCK.rules) 2407919 - ET RBN Known Russian Business Network IP UDP - BLOCKING (460) (emerging-rbn-BLOCK.rules) 2407920 - ET RBN Known Russian Business Network IP TCP - BLOCKING (461) (emerging-rbn-BLOCK.rules) 2407921 - ET RBN Known Russian Business Network IP UDP - BLOCKING (461) (emerging-rbn-BLOCK.rules) 2407922 - ET RBN Known Russian Business Network IP TCP - BLOCKING (462) (emerging-rbn-BLOCK.rules) 2407923 - ET RBN Known Russian Business Network IP UDP - BLOCKING (462) (emerging-rbn-BLOCK.rules) 2407924 - ET RBN Known Russian Business Network IP TCP - BLOCKING (463) (emerging-rbn-BLOCK.rules) 2407925 - ET RBN Known Russian Business Network IP UDP - BLOCKING (463) (emerging-rbn-BLOCK.rules) 2407926 - ET RBN Known Russian Business Network IP TCP - BLOCKING (464) (emerging-rbn-BLOCK.rules) 2407927 - ET RBN Known Russian Business Network IP UDP - BLOCKING (464) (emerging-rbn-BLOCK.rules) 2407928 - ET RBN Known Russian Business Network IP TCP - BLOCKING (465) (emerging-rbn-BLOCK.rules) 2407929 - ET RBN Known Russian Business Network IP UDP - BLOCKING (465) (emerging-rbn-BLOCK.rules) 2407930 - ET RBN Known Russian Business Network IP TCP - BLOCKING (466) (emerging-rbn-BLOCK.rules) 2407931 - ET RBN Known Russian Business Network IP UDP - BLOCKING (466) (emerging-rbn-BLOCK.rules) 2407932 - ET RBN Known Russian Business Network IP TCP - BLOCKING (467) (emerging-rbn-BLOCK.rules) 2407933 - ET RBN Known Russian Business Network IP UDP - BLOCKING (467) (emerging-rbn-BLOCK.rules) 2407934 - ET RBN Known Russian Business Network IP TCP - BLOCKING (468) (emerging-rbn-BLOCK.rules) 2407935 - ET RBN Known Russian Business Network IP UDP - BLOCKING (468) (emerging-rbn-BLOCK.rules) 2407936 - ET RBN Known Russian Business Network IP TCP - BLOCKING (469) (emerging-rbn-BLOCK.rules) 2407937 - ET RBN Known Russian Business Network IP UDP - BLOCKING (469) (emerging-rbn-BLOCK.rules) 2407938 - ET RBN Known Russian Business Network IP TCP - BLOCKING (470) (emerging-rbn-BLOCK.rules) 2407939 - ET RBN Known Russian Business Network IP UDP - BLOCKING (470) (emerging-rbn-BLOCK.rules) 2407940 - ET RBN Known Russian Business Network IP TCP - BLOCKING (471) (emerging-rbn-BLOCK.rules) 2407941 - ET RBN Known Russian Business Network IP UDP - BLOCKING (471) (emerging-rbn-BLOCK.rules) 2407942 - ET RBN Known Russian Business Network IP TCP - BLOCKING (472) (emerging-rbn-BLOCK.rules) 2407943 - ET RBN Known Russian Business Network IP UDP - BLOCKING (472) (emerging-rbn-BLOCK.rules) 2407944 - ET RBN Known Russian Business Network IP TCP - BLOCKING (473) (emerging-rbn-BLOCK.rules) 2407945 - ET RBN Known Russian Business Network IP UDP - BLOCKING (473) (emerging-rbn-BLOCK.rules) 2407946 - ET RBN Known Russian Business Network IP TCP - BLOCKING (474) (emerging-rbn-BLOCK.rules) 2407947 - ET RBN Known Russian Business Network IP UDP - BLOCKING (474) (emerging-rbn-BLOCK.rules) 2407948 - ET RBN Known Russian Business Network IP TCP - BLOCKING (475) (emerging-rbn-BLOCK.rules) 2407949 - ET RBN Known Russian Business Network IP UDP - BLOCKING (475) (emerging-rbn-BLOCK.rules) 2407950 - ET RBN Known Russian Business Network IP TCP - BLOCKING (476) (emerging-rbn-BLOCK.rules) 2407951 - ET RBN Known Russian Business Network IP UDP - BLOCKING (476) (emerging-rbn-BLOCK.rules) 2407952 - ET RBN Known Russian Business Network IP TCP - BLOCKING (477) (emerging-rbn-BLOCK.rules) 2407953 - ET RBN Known Russian Business Network IP UDP - BLOCKING (477) (emerging-rbn-BLOCK.rules) 2407954 - ET RBN Known Russian Business Network IP TCP - BLOCKING (478) (emerging-rbn-BLOCK.rules) 2407955 - ET RBN Known Russian Business Network IP UDP - BLOCKING (478) (emerging-rbn-BLOCK.rules) 2407956 - ET RBN Known Russian Business Network IP TCP - BLOCKING (479) (emerging-rbn-BLOCK.rules) 2407957 - ET RBN Known Russian Business Network IP UDP - BLOCKING (479) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (3): #by evilghost 11/2/09 #by phrantic #by anon 4 -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1709 # Generated 2009-11-07 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1709 # Generated 2009-11-07 00:03:02 EDT -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 152 # Updated 2009-11-02 15:18:31 -> Added to emerging-rbn.rules (2): # VERSION 152 # Updated 2009-11-02 15:18:31 -> Added to emerging-sid-msg.map (307): 2002971 || ET WEB_CLIENT ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS06-021 || url,doc.emergingthreats.net/2002971 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2008127 || ET WEB_CLIENT ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Data_Dynamics || url,doc.emergingthreats.net/2008127 || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008450 || ET TROJAN Donbot Connect to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donbot || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html || url,doc.emergingthreats.net/2008450 2008451 || ET TROJAN Donbot Report to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus || url,doc.emergingthreats.net/2008451 || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html 2008737 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008739 2009702 || ET POLICY DNS Update From External net || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bind || url,doc.emergingthreats.net/2009702 2010121 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Xoops || url,doc.emergingthreats.net/2010121 || url,xforce.iss.net/xforce/xfdb/51985 || url,milw0rm.com/exploits/9249 2010122 || ET WEB_SPECIFIC NewSolved newsscript.php idneu Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010122 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010123 || ET WEB_SPECIFIC NewSolved newsscript.php newsid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_NewSolved || url,doc.emergingthreats.net/2010123 || url,milw0rm.com/exploits/9042 || url,secunia.com/advisories/35611/ 2010124 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010124 || url,milworm.com/exploits/9284 || bugtraq,26747 2010125 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SERWeb || url,doc.emergingthreats.net/2010125 || url,milworm.com/exploits/9284 || bugtraq,26747 2010126 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010126 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010127 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ultrize || url,doc.emergingthreats.net/2010127 || url,secunia.com/advisories/36033/ || url,milw0rm.com/exploits/9297 2010129 || ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010129 2010130 || ET USER_AGENTS Suspicious HTTP Request with empty User Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010130 2010131 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010131 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/1023017.html 2010132 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo || url,doc.emergingthreats.net/2010132 || cve,2009-2734 || url,www.securityfocus.com/bid/36660/info || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,securitytracker.com/alerts/2009/Oct/102