From lists at keamera.org  Tue Sep  1 04:52:34 2009
From: lists at keamera.org (Guido Landi)
Date: Tue, 01 Sep 2009 10:52:34 +0200
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <20090831235136.GA40797@knobbe.us>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>
	<4A9C6159.4050903@packetmail.net>
	<20090831235136.GA40797@knobbe.us>
Message-ID: <4A9CE0D2.1040308@keamera.org>

Hello Frank,

actually the SITE command is not related to the vulnerability and it is
used in this exploit as a placeholder for the shellcode. This means that
also your signature is exploit specific and variants of this exploit
could no be detected this way.

A more effective way to detect a generic exploit attempt would be to
check for large NLST commands with '*'.


Guido.

Frank Knobbe wrote:
> On Mon, Aug 31, 2009 at 06:48:41PM -0500, evilghost at packetmail.net wrote:
>> Ugh.  Please throw out the first sig I wrote the 'VVVV' after the KSEXY, 
>> this was an error on my part.  Concatenated the content matches, threw 
>> out nocase since the Perl code prints all uppercase "SITE" inclusive of 
>> the KSEXY padding.  I don't imagine this sig will false much, not likely 
>> we'll see "SITE KSEXY" often on FTPd.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server; content:"SITE KSEXY"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)
> 
> Yeah, but I'm not a big fan of exploit specific signatures. It's easy to
> change the KSEXY to KDULL to avoid detection :)
> 
> -Frank
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 


From mike.lococo at nyu.edu  Tue Sep  1 00:39:33 2009
From: mike.lococo at nyu.edu (Mike Lococo)
Date: Tue, 01 Sep 2009 00:39:33 -0400
Subject: [Emerging-Sigs] HTTP Exe Download Sig
In-Reply-To: <4A9C7E0A.4050800@jonkmans.com>
References: <4A9C2A5C.7080201@gmail.com>
	<c94f1fa20908311746o2cf26348l273c00338892090f@mail.gmail.com>
	<4A9C7E0A.4050800@jonkmans.com>
Message-ID: <4A9CA585.5020303@nyu.edu>

> We have a few variations of the idea, it's definitely a good one when
> used where load allows:
> 
> Take a look at:
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_NoUserAgent
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_in_BMP

Thanks all for the tips on alternate (and better) approaches.  And 
thanks Matt for pointing out similar existing rules.  I have 
historically steered clear of the policy rules, which are 
disproportionately likely to make me stumble on content that makes my 
eyes bleed.  I'll likely replace my local rule with some combination of 
the above options, though.

> Do be careful running these in a high load environment. But I definitely
> agree they're valuable.

Entirely agreed that they can impact a heavily loaded sensor.  If you 
have some headroom, I find it a worthwhile use of resource though.

Thanks,
Mike Lococo

From jonkman at jonkmans.com  Tue Sep  1 08:47:00 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 08:47:00 -0400
Subject: [Emerging-Sigs] some new rules for an old exploit
In-Reply-To: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
References: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
Message-ID: <4A9D17C4.80604@jonkmans.com>

Hey Jack, questions inline:

Jack Pepper wrote:
> Looking at a compromised server found these items:
> 
> alert tcp $HOME_NET any  -> $EXTERNAL_NET any (msg:"Local server has  
> been rooted with zetha web shell"; flow:from_server,established;
>      content:"|3c|title|3e|ZETHA WEB SHELL"; classtype: successful-admin;
>      sid:1082331; rev:1;)

Safe to go http_servers with the source side? Can we limit to web ports,
or is this one injected and used on off ports?

> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Local  
> server compromised downloading injectable rootkit";  
> flow:from_server,established;
>      content:"Loader'z"; content:"Pro-Hack.ru"; nocase;classtype:
>      successful-admin; sid:1082332; rev:1;)
> 

Posting

> The exploit that was used to get in was a php inclusion in Apache  
> appserv from 2006. Ref: http://securityvulns.com/Kdocument914.html  .   
> Logs show repeated ocurrences of the leading double slash
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB  
> Apache Appserv
> Injection Attempt"; flow:established,to_server;
>      uricontent: "//appserv/main.php"; nocase; classtype:attempted-admin;
>      ref:url,securityvulns.com/Kdocument914.html; sid:1082333; rev:1;)
> 

The doubel quotes will be normalized out by the preproc. That's a pretty
slim thing to alert on though. Anything else we can look for here?

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Tue Sep  1 08:54:00 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 08:54:00 -0400
Subject: [Emerging-Sigs] some new rules for an old exploit
In-Reply-To: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
References: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
Message-ID: <4A9D1968.5030901@jonkmans.com>


Jack Pepper wrote:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Local  
> server compromised downloading injectable rootkit";  
> flow:from_server,established;
>      content:"Loader'z"; content:"Pro-Hack.ru"; nocase;classtype:
>      successful-admin; sid:1082332; rev:1;)

Actually on this, can we do a depth and within? What's the phrase look like?

Matt

> 
> The exploit that was used to get in was a php inclusion in Apache  
> appserv from 2006. Ref: http://securityvulns.com/Kdocument914.html  .   
> Logs show repeated ocurrences of the leading double slash
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB  
> Apache Appserv
> Injection Attempt"; flow:established,to_server;
>      uricontent: "//appserv/main.php"; nocase; classtype:attempted-admin;
>      ref:url,securityvulns.com/Kdocument914.html; sid:1082333; rev:1;)
> 
> jp
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From evilghost at packetmail.net  Tue Sep  1 08:59:48 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 1 Sep 2009 07:59:48 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9CE0D2.1040308@keamera.org>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>	<4A9C6159.4050903@packetmail.net>	<20090831235136.GA40797@knobbe.us>
	<4A9CE0D2.1040308@keamera.org>
Message-ID: <4A9D1AC4.40402@packetmail.net>

What is everyones thought on this signature? Looking specifically at the 
milw0rm exploit I see the data passed to NLST as 178 characters long, 
setting the within:100 seems reasonable. Perhaps a |2a 2f| instead of 
just |2a|?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST"; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)

-evilghost

Guido Landi wrote:
> Hello Frank,
>
> actually the SITE command is not related to the vulnerability and it is
> used in this exploit as a placeholder for the shellcode. This means that
> also your signature is exploit specific and variants of this exploit
> could no be detected this way.
>
> A more effective way to detect a generic exploit attempt would be to
> check for large NLST commands with '*'.
>
>
> Guido.
>
> Frank Knobbe wrote:
>   
>> On Mon, Aug 31, 2009 at 06:48:41PM -0500, evilghost at packetmail.net wrote:
>>     
>>> Ugh.  Please throw out the first sig I wrote the 'VVVV' after the KSEXY, 
>>> this was an error on my part.  Concatenated the content matches, threw 
>>> out nocase since the Perl code prints all uppercase "SITE" inclusive of 
>>> the KSEXY padding.  I don't imagine this sig will false much, not likely 
>>> we'll see "SITE KSEXY" often on FTPd.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server; content:"SITE KSEXY"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)
>>>       
>> Yeah, but I'm not a big fan of exploit specific signatures. It's easy to
>> change the KSEXY to KDULL to avoid detection :)
>>
>> -Frank
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>     
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090901/6ffbb0c1/attachment.html

From eslerj at gmail.com  Tue Sep  1 09:16:30 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 1 Sep 2009 09:16:30 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9D1AC4.40402@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <4A9C6159.4050903@packetmail.net>
	<20090831235136.GA40797@knobbe.us> <4A9CE0D2.1040308@keamera.org>
	<4A9D1AC4.40402@packetmail.net>
Message-ID: <314cf0830909010616n92795f1n9f1e299c47b17baa@mail.gmail.com>

Actually, (just off the top of my head, I haven't checked AT ALL) if your
default def_max_param_len in the ftp_telnet preprocessor is still set to
100, won't the ftp_telnet preprocessor catch this by default?  NLST is in
the def_max_param_len for 100.
Check README.ftptelnet.

J

On Tue, Sep 1, 2009 at 8:59 AM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

>  What is everyones thought on this signature?  Looking specifically at the
> milw0rm exploit I see the data passed to NLST as 178 characters long,
> setting the within:100 seems reasonable.  Perhaps a |2a 2f| instead of just
> |2a|?
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST"; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)
>
> -evilghost
>
>
> Guido Landi wrote:
>
> Hello Frank,
>
> actually the SITE command is not related to the vulnerability and it is
> used in this exploit as a placeholder for the shellcode. This means that
> also your signature is exploit specific and variants of this exploit
> could no be detected this way.
>
> A more effective way to detect a generic exploit attempt would be to
> check for large NLST commands with '*'.
>
>
> Guido.
>
> Frank Knobbe wrote:
>
>
>  On Mon, Aug 31, 2009 at 06:48:41PM -0500, evilghost at packetmail.net wrote:
>
>
>  Ugh.  Please throw out the first sig I wrote the 'VVVV' after the KSEXY,
> this was an error on my part.  Concatenated the content matches, threw
> out nocase since the Perl code prints all uppercase "SITE" inclusive of
> the KSEXY padding.  I don't imagine this sig will false much, not likely
> we'll see "SITE KSEXY" often on FTPd.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server; content:"SITE KSEXY"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)
>
>
>  Yeah, but I'm not a big fan of exploit specific signatures. It's easy to
> change the KSEXY to KDULL to avoid detection :)
>
> -Frank
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>      _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090901/81d6520e/attachment.html

From jonkman at jonkmans.com  Tue Sep  1 09:22:58 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 09:22:58 -0400
Subject: [Emerging-Sigs] 2 more sigs
In-Reply-To: <e75cc74a0908310811l57b8fbfdn3c44d46155df9891@mail.gmail.com>
References: <e75cc74a0908301121l235def53gcdb142ff9760dab1@mail.gmail.com>	<4A9BDF2B.9000603@jonkmans.com>	<e75cc74a0908310803g1a9adb88qa96800b7ae44fa87@mail.gmail.com>
	<e75cc74a0908310811l57b8fbfdn3c44d46155df9891@mail.gmail.com>
Message-ID: <4A9D2032.2060001@jonkmans.com>

Unfortunately I don't think that helps any. :) Just higher load now.

I think we'll have to pass on this concept for now...

Kevin Ross wrote:
>>> Forgot to send this to the emerging-sigs list also for comment :)
>  
> 
>     What about this then?
> 
>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB
>     Cross Site Scripting Attempt in Cookie (<script> Tags Detected)";
>     flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase;
>     content:"<script>"; nocase; content:"/script>"; distance:0; nocase;
>     pcre:"/\x0a\x0dCookie\x3a[^\n]<script>.+/script>/i";
>     classtype:web-application-attack;
>     reference:url,ha.ckers.org/xss.html <http://ha.ckers.org/xss.html>;
>     reference:url,www.cgisecurity.com/xss-faq.html
>     <http://www.cgisecurity.com/xss-faq.html>; sid:19000006; rev:1;)
> 
>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB
>     Cross Site Scripting Attempt in User-Agent (<script> Tags
>     Detected)"; flow:to_server,established; content:"|0d
>     0a|User-Agent|3a|"; nocase; content:"<script>"; nocase;
>     content:"/script>"; distance:0; nocase;
>     pcre:"/\x0a\x0dUser-Agent\x3a[^\n]<script>.+/script>/i";
>     classtype:web-application-attack;
>     reference:url,ha.ckers.org/xss.html <http://ha.ckers.org/xss.html>;
>     reference:url,www.cgisecurity.com/xss-faq.html
>     <http://www.cgisecurity.com/xss-faq.html>; sid:19000007; rev:1;)
> 
>     2009/8/31 Matt Jonkman <jonkman at jonkmans.com
>     <mailto:jonkman at jonkmans.com>>
> 
>         Hey Kevin. These are interesting, but I'm concerned with false
>         positives. And false negatives I suppose, since an sql injection
>         string
>         could easily be over 100 bytes, or padded to be over 100.
> 
>         If we added a pcre that may help, or a content match for !"|0d
>         0a|! in
>         between the cookie and script tags.
> 
>         Anyone else have more elegant ideas than that?
> 
>         Matt
> 
>         Kevin Ross wrote:
>         > Hey. 2 more sigs for XSS in cookies and in a useragent.
>         Hopefully these
>         > will help someone (or me :) ) Kev
>         >
>         > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>         (msg:"WEB Cross
>         > Site Scripting Attempt in Cookie (<script> Tags Detected)";
>         > flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase;
>         > content:"<script>"; within:100; nocase; content:"/script>";
>         distance:0;
>         > nocase; classtype:web-application-attack;
>         > reference:url,ha.ckers.org/xss.html
>         <http://ha.ckers.org/xss.html> <http://ha.ckers.org/xss.html>;
>         > reference:url,www.cgisecurity.com/xss-faq.html
>         <http://www.cgisecurity.com/xss-faq.html>
>         > <http://www.cgisecurity.com/xss-faq.html>; sid:19000006; rev:1;)
>         >
>         > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>         (msg:"WEB Cross
>         > Site Scripting Attempt in User-Agent (<script> Tags Detected)";
>         > flow:to_server,established; content:"|0d 0a|User-Agent|3a|";
>         nocase;
>         > content:"<script>"; within:100; nocase; content:"/script>";
>         distance:0;
>         > nocase; classtype:web-application-attack;
>         > reference:url,ha.ckers.org/xss.html
>         <http://ha.ckers.org/xss.html> <http://ha.ckers.org/xss.html>;
>         > reference:url,www.cgisecurity.com/xss-faq.html
>         <http://www.cgisecurity.com/xss-faq.html>
>         > <http://www.cgisecurity.com/xss-faq.html>; sid:19000007; rev:1;)
>         >
>         >
>         >
>         >
>         ------------------------------------------------------------------------
>         >
>         > _______________________________________________
>         > Emerging-sigs mailing list
>         > Emerging-sigs at emergingthreats.net
>         <mailto:Emerging-sigs at emergingthreats.net>
>         > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>         --
>         --------------------------------------------
>         Matthew Jonkman
>         Emerging Threats
>         Open Information Security Foundation (OISF)
>         Phone 765-429-0398
>         Fax 312-264-0205
>         http://www.emergingthreats.net
>         http://www.openinformationsecurityfoundation.org
>         --------------------------------------------
> 
>         PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Tue Sep  1 09:28:56 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 09:28:56 -0400
Subject: [Emerging-Sigs] Signature Contest Winner!!
Message-ID: <4A9D2198.2090504@jonkmans.com>

We are ending the August signature contest. With all the sigs in the
leader board looks like this:

Jeremy Conway	27
Kevin Ross	22
Darren Spruell	4
dxp		3
Eoin Miller	2
Russell Fulton	1
Frank Knobbe	1
Christopher C	1
William Salusky	1
Bojan Zdrnja	1
Evilghost	1
David Wharton	1


Jeremy and Kevin fought it out all month but Jeremy ended up ahead, but
not by a huge margin. Well done everyone involved.

We'll get a shirt out to you Jeremy. The new contest starts now!!! Let
the signatures flow!

Matt


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From frank at knobbe.us  Tue Sep  1 09:37:23 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 1 Sep 2009 08:37:23 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9CE0D2.1040308@keamera.org>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <4A9C6159.4050903@packetmail.net>
	<20090831235136.GA40797@knobbe.us> <4A9CE0D2.1040308@keamera.org>
Message-ID: <20090901133723.GA58047@knobbe.us>

On Tue, Sep 01, 2009 at 10:52:34AM +0200, Guido Landi wrote:
> actually the SITE command is not related to the vulnerability and it is
> used in this exploit as a placeholder for the shellcode. This means that
> also your signature is exploit specific and variants of this exploit
> could no be detected this way.

Right, though I'd like to think of it as "technique" specific. I'm sure if
there was a way to shovel the shellcode with NLST, it would have been done.

> A more effective way to detect a generic exploit attempt would be to
> check for large NLST commands with '*'.

Except that the NLST command is much smaller. As I said before, I think
looking for invalid characters in any PUT, MKDIR or NLST command is probably
more specific to the vulnerability.

And yes, there are better sigs that can be written. I'm sure we'll get more
suggestions today. I was just trying to get something out quickly yesterday
and opted for a large SITE command, which will be useful in the future as
well.

Regards,
Frank


From pepperjack at afferentsecurity.com  Tue Sep  1 10:19:58 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Tue, 01 Sep 2009 09:19:58 -0500
Subject: [Emerging-Sigs] some new rules for an old exploit
In-Reply-To: <4A9D17C4.80604@jonkmans.com>
References: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
	<4A9D17C4.80604@jonkmans.com>
Message-ID: <20090901091958.tqipvjj9o80k848c@mail.afferentsecurity.com>

Replies inline:

Quoting Matt Jonkman <jonkman at jonkmans.com>:

> Jack Pepper wrote:
>> Looking at a compromised server found these items:
>>
>> alert tcp $HOME_NET any  -> $EXTERNAL_NET any (msg:"Local server has
>> been rooted with zetha web shell"; flow:from_server,established;
>>      content:"|3c|title|3e|ZETHA WEB SHELL"; classtype: successful-admin;
>>      sid:1082331; rev:1;)
>
> Safe to go http_servers with the source side? Can we limit to web ports,
> or is this one injected and used on off ports?

The rootkit can listen on any port, but perhaps HTTP_PORTS would be a  
good thing.  A properly configured firewall (HA!) would make the  
webshell unavailable to outsiders except on translated ports.

In this case, it was a web server that was compromised, so  
HTTP_SERVERS makes sense.

>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Local
>> server compromised downloading injectable rootkit";
>> flow:from_server,established;
>>      content:"Loader'z"; content:"Pro-Hack.ru"; nocase;classtype:
>>      successful-admin; sid:1082332; rev:1;)
>>
> Actually on this, can we do a depth and within? What's the phrase look like?

This is kind of clever:  a php injection that downloads a php file  
that loads a perl script.  The first part of the download looks like  
this:

<?
error_reporting(0);
/* Loader'z WEB Shell v 0.1 {14 ????? 2005}
??? ?????? ?????? ???????. ??? ????? ?? ???????????? ???????.
- ?????? ? ???????? ???????? ? ???????? PHP. ? ??????? ???????  
???????????? ?????????? ??????? ????.
- ???????? ? ?????????????? ???????.
- ??????? ?????? ? ??????? ???????? ? ??????? HTTP.
- ??????? ?????? ? ?????? ????????? ?????.
- ?????????? ???????????? ?????? ??? ???????.
- ?????? ?????? ???????? ?????????? ??????????. ???????? ?? ???????  
??????? ?? ???? ???, ???? ??, ?? ?????
? ??????? ?????????? ???????,
??? ????????, ? ??? ?? ????, ??? ?? ?????? ????????? ???????.
- ?????? ??????? ???????? ?? ???????????? ???? ???????.
- ???? ?????? ???????? ??? ??????????? ?? Windows, ?????? ??????????  
??? ?????????? ?????? ??????????????
? win-1251.
- ???????????? ??????????? ??????  ????-????. ?? ?????? ???????  
???????? ????????? ? ???? ?? ??????? ?????
???? ??????.
Loader Pro-Hack.ru
*/
?>


>
>> The exploit that was used to get in was a php inclusion in Apache
>> appserv from 2006. Ref: http://securityvulns.com/Kdocument914.html  .
>> Logs show repeated ocurrences of the leading double slash
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB
>> Apache Appserv
>> Injection Attempt"; flow:established,to_server;
>>      uricontent: "//appserv/main.php"; nocase; classtype:attempted-admin;
>>      ref:url,securityvulns.com/Kdocument914.html; sid:1082333; rev:1;)
>>
>
> The double quotes will be normalized out by the preproc. That's a pretty
> slim thing to alert on though. Anything else we can look for here?

yeah, this is pretty weak.  The exploit keys off of the  
appserv/main.php.  Lots of file inclusion opportunities here.   
Exploits targeting this will also get picked up by the more generic  
file inclusion of sid 2002997 .

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From paul.halliday at gmail.com  Tue Sep  1 10:39:17 2009
From: paul.halliday at gmail.com (Paul Halliday)
Date: Tue, 1 Sep 2009 11:39:17 -0300
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909010616n92795f1n9f1e299c47b17baa@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <4A9C6159.4050903@packetmail.net>
	<20090831235136.GA40797@knobbe.us> <4A9CE0D2.1040308@keamera.org>
	<4A9D1AC4.40402@packetmail.net>
	<314cf0830909010616n92795f1n9f1e299c47b17baa@mail.gmail.com>
Message-ID: <2dab70a30909010739g60801792h541a97e970a0cdcf@mail.gmail.com>

"ftp_pp: FTP parameter length overflow" is firing for me when I try
the milw0rm exploit.

On Tue, Sep 1, 2009 at 10:16 AM, Joel Esler<eslerj at gmail.com> wrote:
> Actually, (just off the top of my head, I haven't checked AT ALL) if your
> default?def_max_param_len in the ftp_telnet preprocessor is still set to
> 100, won't the ftp_telnet preprocessor catch this by default? ?NLST is in
> the?def_max_param_len for 100.
> Check README.ftptelnet.
> J

From eslerj at gmail.com  Tue Sep  1 11:23:40 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 1 Sep 2009 11:23:40 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <2dab70a30909010739g60801792h541a97e970a0cdcf@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <4A9C6159.4050903@packetmail.net>
	<20090831235136.GA40797@knobbe.us> <4A9CE0D2.1040308@keamera.org>
	<4A9D1AC4.40402@packetmail.net>
	<314cf0830909010616n92795f1n9f1e299c47b17baa@mail.gmail.com>
	<2dab70a30909010739g60801792h541a97e970a0cdcf@mail.gmail.com>
Message-ID: <314cf0830909010823r73c1e47ybe7f16244ce0e1db@mail.gmail.com>

http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html
J

On Tue, Sep 1, 2009 at 10:39 AM, Paul Halliday <paul.halliday at gmail.com>wrote:

> "ftp_pp: FTP parameter length overflow" is firing for me when I try
> the milw0rm exploit.
>
> On Tue, Sep 1, 2009 at 10:16 AM, Joel Esler<eslerj at gmail.com> wrote:
> > Actually, (just off the top of my head, I haven't checked AT ALL) if your
> > default def_max_param_len in the ftp_telnet preprocessor is still set to
> > 100, won't the ftp_telnet preprocessor catch this by default?  NLST is in
> > the def_max_param_len for 100.
> > Check README.ftptelnet.
> > J
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090901/49aac92b/attachment.html

From wkitty42 at windstream.net  Tue Sep  1 13:35:44 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Tue, 01 Sep 2009 13:35:44 -0400
Subject: [Emerging-Sigs] some new rules for an old exploit
In-Reply-To: <4A9D17C4.80604@jonkmans.com>
References: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>
	<4A9D17C4.80604@jonkmans.com>
Message-ID: <4A9D5B70.2080408@windstream.net>

Matt Jonkman wrote:
> Hey Jack, questions inline:
> 
> Jack Pepper wrote:
>> Looking at a compromised server found these items:
>>
>> alert tcp $HOME_NET any  -> $EXTERNAL_NET any (msg:"Local server has  
>> been rooted with zetha web shell"; flow:from_server,established;
>>      content:"|3c|title|3e|ZETHA WEB SHELL"; classtype: successful-admin;
>>      sid:1082331; rev:1;)
> 
> Safe to go http_servers with the source side? Can we limit to web ports,
> or is this one injected and used on off ports?
> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Local  
>> server compromised downloading injectable rootkit";  
>> flow:from_server,established;
>>      content:"Loader'z"; content:"Pro-Hack.ru"; nocase;classtype:
>>      successful-admin; sid:1082332; rev:1;)
>>
> 
> Posting
> 
>> The exploit that was used to get in was a php inclusion in Apache  
>> appserv from 2006. Ref: http://securityvulns.com/Kdocument914.html  .   
>> Logs show repeated ocurrences of the leading double slash
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB  
>> Apache Appserv
>> Injection Attempt"; flow:established,to_server;
>>      uricontent: "//appserv/main.php"; nocase; classtype:attempted-admin;
>>      ref:url,securityvulns.com/Kdocument914.html; sid:1082333; rev:1;)
>>
> 
> The doubel quotes will be normalized out by the preproc. That's a pretty
> slim thing to alert on though. Anything else we can look for here?

double quotes or double slashes?

hummm... if double slashes, maybe that's why i'm not seeing them like i used to 
see them... i'll have to check my preproc settings :?


From jonkman at jonkmans.com  Tue Sep  1 13:38:26 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 13:38:26 -0400
Subject: [Emerging-Sigs] some new rules for an old exploit
In-Reply-To: <4A9D5B70.2080408@windstream.net>
References: <20090831160517.8zpsfj4su80ogk08@mail.afferentsecurity.com>	<4A9D17C4.80604@jonkmans.com>
	<4A9D5B70.2080408@windstream.net>
Message-ID: <4A9D5C12.80003@jonkmans.com>

Yes, sorry, I meant double slashes. Those wil be normalized to a single
slash.

I don't think you can disable that in the http preproc, that's kinda the
point of the preproc. :)

But you can match it directly with a content match vs uricontent. Maybe
just use uricontent to prequalify that the string you're after is there,
then look for it with a content match and the double slashes.

Matt

waldo kitty wrote:
> Matt Jonkman wrote:
>> Hey Jack, questions inline:
>>
>> Jack Pepper wrote:
>>> Looking at a compromised server found these items:
>>>
>>> alert tcp $HOME_NET any  -> $EXTERNAL_NET any (msg:"Local server has  
>>> been rooted with zetha web shell"; flow:from_server,established;
>>>      content:"|3c|title|3e|ZETHA WEB SHELL"; classtype: successful-admin;
>>>      sid:1082331; rev:1;)
>> Safe to go http_servers with the source side? Can we limit to web ports,
>> or is this one injected and used on off ports?
>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Local  
>>> server compromised downloading injectable rootkit";  
>>> flow:from_server,established;
>>>      content:"Loader'z"; content:"Pro-Hack.ru"; nocase;classtype:
>>>      successful-admin; sid:1082332; rev:1;)
>>>
>> Posting
>>
>>> The exploit that was used to get in was a php inclusion in Apache  
>>> appserv from 2006. Ref: http://securityvulns.com/Kdocument914.html  .   
>>> Logs show repeated ocurrences of the leading double slash
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB  
>>> Apache Appserv
>>> Injection Attempt"; flow:established,to_server;
>>>      uricontent: "//appserv/main.php"; nocase; classtype:attempted-admin;
>>>      ref:url,securityvulns.com/Kdocument914.html; sid:1082333; rev:1;)
>>>
>> The doubel quotes will be normalized out by the preproc. That's a pretty
>> slim thing to alert on though. Anything else we can look for here?
> 
> double quotes or double slashes?
> 
> hummm... if double slashes, maybe that's why i'm not seeing them like i used to 
> see them... i'll have to check my preproc settings :?
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Tue Sep  1 15:42:22 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 01 Sep 2009 15:42:22 -0400
Subject: [Emerging-Sigs] NETBIOS DCERPC rpcmgmt ifids Unauthenticated
 BIND
In-Reply-To: <MTAwMDA0My5ic2Nobnps.1251776214@quikprotect>
References: <e75cc74a0908281510w29c39a87k69a37e816076bbcf@mail.gmail.com>,
	<4A9C0124.1050600@jonkmans.com>
	<MTAwMDA0My5ic2Nobnps.1251776214@quikprotect>
Message-ID: <4A9D791E.7070304@jonkmans.com>

Definitely looks like it's worth a try to me. Posting now, thanks Bill!

Matt

Bill Scherr IV wrote:
> Folks...
> 
>    I have the following from BASE:
> 
> Msg: 		NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND 	 
> Class:		attempted-recon 	 
> Total#:	157 	 
> Sensor#	4 	 
> Srcs:		6 	 
> Targets:	1 	 
> First:		2009-08-04 19:31:48 	 
> Last:		2009-08-31 10:14:06
> 
>    I have classed it as "attempted-recon" to go light.  I have not put up a fully operational listener to see what else these guys 
> are doing.  They hit 1024 ports from 1024-2048 pretty reliably across events.  I am limiting the number of connections, which 
> is why the hit count is so low.  That is as close to the definition of malicious as I have seen.  Here is the sig that is firing:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"NETBIOS DCERPC rpcmgmt ifids 
> Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 
> 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; 
> reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; 
> reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html;classtype:attempted-recon; sid:xxxxxxx; rev:5;)
> 
> thoughts?
> 
> 
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr at iit-tek.com
> bscherr at ewa.com
> 703-478-7608
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From emerging at emergingthreats.net  Tue Sep  1 16:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue,  1 Sep 2009 16:00:13 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090901200013.D787C4501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue Sep  1 16:00:13 2009 [***]

[+++]          Added rules:          [+++]

 2009815 - ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI (emerging-web.rules)
 2009816 - ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI (emerging-web.rules)
 2009817 - ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User (emerging-web.rules)
 2009818 - ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry (emerging-web.rules)
 2009819 - ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk (emerging-web.rules)
 2009820 - ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs (emerging-web.rules)
 2009822 - ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs (emerging-web.rules)
 2009823 - ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name (emerging-web.rules)
 2009824 - ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet (emerging-virus.rules)
 2009825 - ET TROJAN Win32.VB.tdq - Fake User-Agent (emerging-virus.rules)
 2009826 - ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET (emerging-virus.rules)
 2009827 - ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis (emerging-scan.rules)
 2009828 - ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command (emerging-exploit.rules)
 2009829 - ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET (emerging-virus.rules)
 2009830 - ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2007829 - ET TROJAN Illusion Bot (Lussilon) Checkin (emerging-virus.rules)
 2009781 - ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET (emerging-malware.rules)
 2009782 - ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET (emerging-malware.rules)
 2009783 - ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET (emerging-malware.rules)
 2009784 - ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET (emerging-malware.rules)
 2009785 - ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET (emerging-malware.rules)
 2009786 - ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal (emerging-web_sql_injection.rules)
 2009787 - ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009788 - ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009789 - ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009790 - ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009791 - ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009792 - ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow (emerging-web.rules)
 2009793 - ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009794 - ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009795 - ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009796 - ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) (emerging-malware.rules)
 2009797 - ET TROJAN Bifrose Response from victim (emerging-virus.rules)
 2009798 - ET POLICY Carbonite Online Backup SSL Handshake (emerging-policy.rules)
 2009800 - ET POLICY Carbonite.com Backup Software Leaking MAC Address (emerging-policy.rules)
 2009801 - ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) (emerging-policy.rules)
 2009802 - ET TROJAN KillAV Downloader - GET (emerging-virus.rules)
 2009803 - ET TROJAN Downloader Generic - GET (emerging-virus.rules)
 2009804 - ET TROJAN Screenblaze SCR Related Backdoor - GET (emerging-virus.rules)
 2009805 - ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET (emerging-virus.rules)
 2009806 - ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet (emerging-virus.rules)
 2009807 - ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET (emerging-malware.rules)
 2009808 - ET TROJAN Win32.Virut - GET (emerging-virus.rules)
 2009809 - ET TROJAN Generic/Unknown Downloader Config to client (emerging-virus.rules)
 2009810 - ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) (emerging-virus.rules)
 2009811 - ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET (emerging-virus.rules)
 2009812 - ET TROJAN AVKiller with Backdoor checkin - HTTP POST (emerging-virus.rules)
 2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (emerging-virus.rules)
 2009814 - ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-exploit.rules (1):
        # By Frank Knobbe

     -> Added to emerging-sid-msg.map (49):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Illusion_Bot || url,doc.emergingthreats.net/2007829
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009781
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009782
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009783 || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009784
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009785 || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Community_CMS || url,doc.emergingthreats.net/2009787 || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RSS_Aggregator || url,doc.emergingthreats.net/2009788 || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_TinybutStrong || url,doc.emergingthreats.net/2009789 || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_beLive || url,doc.emergingthreats.net/2009790 || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GS_RealEstate || url,doc.emergingthreats.net/2009791 || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Avax || url,doc.emergingthreats.net/2009792 || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Crawler || url,doc.emergingthreats.net/2009793 || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vidshare || url,doc.emergingthreats.net/2009794 || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dog_Pedigree || url,doc.emergingthreats.net/2009795 || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009796
        2009797 || ET TROJAN Bifrose Response from victim || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose || url,doc.emergingthreats.net/2009797
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009798
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009800
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009801
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_KillAV || url,doc.emergingthreats.net/2009802 || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009803
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_ScreenBlaze || url,doc.emergingthreats.net/2009804 || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Luder || url,doc.emergingthreats.net/2009805 || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PoisonIvy || url,doc.emergingthreats.net/2009806 || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search || url,doc.emergingthreats.net/2009807 || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virut || url,doc.emergingthreats.net/2009808 || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2009809
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2009810 || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009811
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller || url,doc.emergingthreats.net/2009812
        2009813 || ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_MyDNS || url,doc.emergingthreats.net/2009813
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Doneltart || url,doc.emergingthreats.net/2009814
        2009815 || ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009815 || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,msdn.microsoft.com/en-us/library/ms175046.aspx
        2009816 || ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009816 || url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/
        2009817 || ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009817 || url,technet.microsoft.com/en-us/library/ms181422.aspx
        2009818 || ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009818 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009819 || ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009819 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.dugger-it.com/articles/xp_fileexist.asp || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009820 || ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009820 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009822 || ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009822 || url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009823 || ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009823 || url,www.en.wikipedia.org/wiki/Database_Source_Name || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009824 || ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf || url,doc.emergingthreats.net/2009824 || url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html
        2009825 || ET TROJAN Win32.VB.tdq - Fake User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.VB || url,doc.emergingthreats.net/2009825 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654 || url,vil.nai.com/vil/content/v_187654.htm
        2009826 || ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2009826
        2009827 || ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Pavuk || url,doc.emergingthreats.net/2009827 || url,pavuk.sourceforge.net/about.html
        2009828 || ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP || url,doc.emergingthreats.net/2009828 || url,www.milw0rm.com/exploits/9541
        2009829 || ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET || url,www.threatexpert.com/threats/w32-virut-i.html || url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486
        2009830 || ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST

     -> Added to emerging-sid-msg.map.txt (49):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Illusion_Bot || url,doc.emergingthreats.net/2007829
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009781
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009782
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009783 || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009784
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009785 || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Community_CMS || url,doc.emergingthreats.net/2009787 || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RSS_Aggregator || url,doc.emergingthreats.net/2009788 || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_TinybutStrong || url,doc.emergingthreats.net/2009789 || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_beLive || url,doc.emergingthreats.net/2009790 || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GS_RealEstate || url,doc.emergingthreats.net/2009791 || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Avax || url,doc.emergingthreats.net/2009792 || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Crawler || url,doc.emergingthreats.net/2009793 || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vidshare || url,doc.emergingthreats.net/2009794 || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dog_Pedigree || url,doc.emergingthreats.net/2009795 || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009796
        2009797 || ET TROJAN Bifrose Response from victim || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose || url,doc.emergingthreats.net/2009797
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009798
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009800
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009801
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_KillAV || url,doc.emergingthreats.net/2009802 || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009803
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_ScreenBlaze || url,doc.emergingthreats.net/2009804 || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Luder || url,doc.emergingthreats.net/2009805 || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PoisonIvy || url,doc.emergingthreats.net/2009806 || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search || url,doc.emergingthreats.net/2009807 || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virut || url,doc.emergingthreats.net/2009808 || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2009809
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2009810 || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009811
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller || url,doc.emergingthreats.net/2009812
        2009813 || ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_MyDNS || url,doc.emergingthreats.net/2009813
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Doneltart || url,doc.emergingthreats.net/2009814
        2009815 || ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009815 || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,msdn.microsoft.com/en-us/library/ms175046.aspx
        2009816 || ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009816 || url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/
        2009817 || ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009817 || url,technet.microsoft.com/en-us/library/ms181422.aspx
        2009818 || ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009818 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009819 || ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009819 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.dugger-it.com/articles/xp_fileexist.asp || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009820 || ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009820 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009822 || ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009822 || url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009823 || ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009823 || url,www.en.wikipedia.org/wiki/Database_Source_Name || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009824 || ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf || url,doc.emergingthreats.net/2009824 || url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html
        2009825 || ET TROJAN Win32.VB.tdq - Fake User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.VB || url,doc.emergingthreats.net/2009825 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654 || url,vil.nai.com/vil/content/v_187654.htm
        2009826 || ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2009826
        2009827 || ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Pavuk || url,doc.emergingthreats.net/2009827 || url,pavuk.sourceforge.net/about.html
        2009828 || ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP || url,doc.emergingthreats.net/2009828 || url,www.milw0rm.com/exploits/9541
        2009829 || ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET || url,www.threatexpert.com/threats/w32-virut-i.html || url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486
        2009830 || ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST

     -> Added to emerging-virus.rules (5):
        #ref: d253db84a6d08dbeec6426c4c4d212a6
        # ref: 3ef704eaa54118d277d52a1fe9bbcaa4
        # ref: 2763eedda0b2dc446adb1f84f9f35fc1
        # ref: 452b0c4cefeb0339d69582174954210e
        # ref: 2e79af552fa6d3bd2cb654cc0f15cd76

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (54):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)
        2009797 || ET TROJAN Bifrose Response from victim
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST
        2009813 || ET TROJAN Trojan.MyDNS  DNSChanger - HTTP POST
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET
        2500348 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500349 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500350 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500351 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500352 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500353 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500354 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500355 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500356 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500357 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510348 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510349 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510350 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510351 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510352 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510353 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510354 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510355 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510356 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510357 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (54):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)
        2009797 || ET TROJAN Bifrose Response from victim
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST
        2009813 || ET TROJAN Trojan.MyDNS  DNSChanger - HTTP POST
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET
        2500348 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500349 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500350 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500351 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500352 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500353 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500354 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500355 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500356 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500357 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510348 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510349 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510350 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510351 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510352 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510353 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510354 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510355 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510356 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510357 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From kevross33 at googlemail.com  Tue Sep  1 18:39:02 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Tue, 1 Sep 2009 23:39:02 +0100
Subject: [Emerging-Sigs] SCAN:Joomla Vulnerability Scanner Sig
Message-ID: <e75cc74a0909011539h5f4d1f9du2f729ce73fb0ed3b@mail.gmail.com>

Tested and working, been running on a high load network for a few days now.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN OWASP
Joomla Vulnerability Scanner Detected"; flow:established,to_server;
content:"HEAD /joomla/"; depth:20; content:"|0d 0a|User-Agent|3a|
Mozilla/5.0 (Windows\; U\; Windows NT 5.2\; en-US\; rv|3a|1.9.0.3)
Gecko/2008092417 Firefox/3.0.3"; distance:70;
pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U";threshold:
type threshold, track by_dst, count 4, seconds 15;
classtype:attempted-recon; reference:url,
www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project;
sid:15000004; rev:1;)

Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090901/ac6b37a8/attachment.html

From jonkman at jonkmans.com  Wed Sep  2 11:42:15 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 02 Sep 2009 11:42:15 -0400
Subject: [Emerging-Sigs] New rules file
Message-ID: <4A9E9257.3030200@jonkmans.com>

http://www.emergingthreats.net/rules/emerging-all.rules.zip

By request I've added a zip'd version of the emerging-all.rules file. A
few folks were having problems with false positives when they downlaod
that in the clear. This should eliminate that, as well as reduce the
download size.

Please report any problems!

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed Sep  2 12:54:55 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 02 Sep 2009 12:54:55 -0400
Subject: [Emerging-Sigs] SCAN:Joomla Vulnerability Scanner Sig
In-Reply-To: <e75cc74a0909011539h5f4d1f9du2f729ce73fb0ed3b@mail.gmail.com>
References: <e75cc74a0909011539h5f4d1f9du2f729ce73fb0ed3b@mail.gmail.com>
Message-ID: <4A9EA35F.9090605@jonkmans.com>

Posted, thanks!

Kevin Ross wrote:
> Tested and working, been running on a high load network for a few days now.
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN
> OWASP Joomla Vulnerability Scanner Detected";
> flow:established,to_server; content:"HEAD /joomla/"; depth:20;
> content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT
> 5.2\; en-US\; rv|3a|1.9.0.3) Gecko/2008092417 Firefox/3.0.3";
> distance:70;
> pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U";threshold:
> type threshold, track by_dst, count 4, seconds 15;
> classtype:attempted-recon;
> reference:url,www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
> <http://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project>;
> sid:15000004; rev:1;)
> 
> Kevin
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From lohin_daniel at bah.com  Wed Sep  2 14:43:46 2009
From: lohin_daniel at bah.com (Lohin, Daniel [USA])
Date: Wed, 2 Sep 2009 14:43:46 -0400
Subject: [Emerging-Sigs] Question on writing rules for DNS lookups
Message-ID: <4773DEA31FB1A6439A01CADD2B57669C0A027CFE@ASHBMBX03.resource.ds.bah.com>

Question from a newbie:

    I wanted to create a rule to see if a user queries a certain website.  There are many examples of this, for example:

http://www.autoshun.org/downloads/bhdns.rules



The one thing that I don't understand is the binary portion of each domain name in the content.  At first I thought that this was ascii characters, but as I looked at it, I realized that a "." can be multiple binary data.  For example:

1390578|02|cn

 and

032439|03|com

Even though both represent a ".".  Is there any easy way to get what binary data I need in a domain name?


Thanks,
Daniel Lohin
Senior Consultant
Booz | Allen | Hamilton
Cell 610-763-3819
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090902/a4bbc572/attachment.html

From pepperjack at afferentsecurity.com  Wed Sep  2 15:49:16 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Wed, 02 Sep 2009 14:49:16 -0500
Subject: [Emerging-Sigs] Question on writing rules for DNS lookups
In-Reply-To: <4773DEA31FB1A6439A01CADD2B57669C0A027CFE@ASHBMBX03.resource.ds.bah.com>
References: <4773DEA31FB1A6439A01CADD2B57669C0A027CFE@ASHBMBX03.resource.ds.bah.com>
Message-ID: <20090902144916.1dox4b5d8gc88kow@mail.afferentsecurity.com>

Comments inline:

Quoting "Lohin, Daniel [USA]" <lohin_daniel at bah.com>:

> Question from a newbie:
>
>     I wanted to create a rule to see if a user queries a certain  
> website.  There are many examples of this, for example:
>
> http://www.autoshun.org/downloads/bhdns.rules

thanks.

>
>
>
> The one thing that I don't understand is the binary portion of each  
> domain name in the content.  At first I thought that this was ascii  
> characters, but as I looked at it, I realized that a "." can be  
> multiple binary data.  For example:
>
> 1390578|02|cn
>
>  and
>
> 032439|03|com

the numeric value is the number of characters in the next sequence.   
it's pascal-style strings instead of c-string style.

"cn" is two chars, so it is prefaced by "02".


jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From emerging at emergingthreats.net  Wed Sep  2 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Wed,  2 Sep 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090902200012.E5B444501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Wed Sep  2 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2009831 - ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino) (emerging-malware.rules)
 2009832 - ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND (emerging-scan.rules)
 2009833 - ET SCAN WITOOL SQL Injection Scan (emerging-scan.rules)
 2009834 - ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection (emerging-web_sql_injection.rules)
 2009835 - ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection (emerging-web_sql_injection.rules)
 2009836 - ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection (emerging-web_sql_injection.rules)
 2009837 - ET SCAN OWASP Joomla Vulnerability Scanner Detected (emerging-scan.rules)


[---]         Removed rules:         [---]

 2009802 - ET TROJAN KillAV Downloader - GET (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-scan.rules (1):
        #by Bill Scherr IV

     -> Added to emerging-sid-msg.map (7):
        2009831 || ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)
        2009832 || ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND || url,seclists.org/fulldisclosure/2003/Aug/0432.html || url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf || url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf
        2009833 || ET SCAN WITOOL SQL Injection Scan || url,witool.sourceforge.net/
        2009834 || ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009835 || ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009836 || ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009837 || ET SCAN OWASP Joomla Vulnerability Scanner Detected || url,www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

     -> Added to emerging-sid-msg.map.txt (7):
        2009831 || ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)
        2009832 || ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND || url,seclists.org/fulldisclosure/2003/Aug/0432.html || url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf || url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf
        2009833 || ET SCAN WITOOL SQL Injection Scan || url,witool.sourceforge.net/
        2009834 || ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009835 || ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009836 || ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009837 || ET SCAN OWASP Joomla Vulnerability Scanner Detected || url,www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

     -> Added to emerging-web_sql_injection.rules (1):
        #by kevin ross

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (1):
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_KillAV || url,doc.emergingthreats.net/2009802 || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699

     -> Removed from emerging-sid-msg.map.txt (1):
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_KillAV || url,doc.emergingthreats.net/2009802 || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699

     -> Removed from emerging-virus.rules (1):
        #ref:a9fc114ac335b1121410fa7ef29d4d73


From dxp2532 at gmail.com  Thu Sep  3 09:27:35 2009
From: dxp2532 at gmail.com (dxp)
Date: Thu, 03 Sep 2009 09:27:35 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9C5FF2.9090009@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net>
Message-ID: <1251984455.6560.1.camel@kinta>

Adding 'depth:5;' to the SITE content match should help with performance
and FP.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
> Very fine Frank, thanks for submitting this.  What are your thoughts on 
> a signature specific to the milw0rm PoC to detect with a greater level 
> of certainly this PoC being used in the wild.  This would obviously be 
> in conjunction with your signature, not a replacement for it, but could 
> be used with perhaps a greater level of confidence to invoke a IDS/IPS 
> action.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP 
> Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server; 
> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV"; 
> classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; 
> sid:2009xxxx; rev:0;)
> 
> -evilghost
> 
> Frank Knobbe wrote:
> > Gents,
> >
> > I committed this sig to catch the milw0rm IIS-FTP exploit:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
> > IIS FTP Exploit attempt - Large SITE command";
> > flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|";
> > within:150; classtype:attempted-admin;
> > reference:url,www.milw0rm.com/exploits/9541;
> > reference:url,doc.emergingthreats.net/2009828;
> > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; sid:2009828; rev:2;)
> >
> > Seems to test okay for me. But I'm not sure if there are legitimate SITE
> > commands larger than 150 bytes. Please report any False Positives.
> >
> > Thanks,
> > Frank
> >
> >
> >
> >   
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/83a24289/attachment.bin

From jonkman at jonkmans.com  Thu Sep  3 10:44:35 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 03 Sep 2009 10:44:35 -0400
Subject: [Emerging-Sigs] StillSecure: 20 New Signatures - Aug - 31 - 2009
In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C293C@webmail.latis.com>
References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C293C@webmail.latis.com>
Message-ID: <4A9FD653.6050605@jonkmans.com>

Posted, thanks!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 20 New Signatures below:
> 
> 1.       *WEB-PHP WB News search.php config Parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News search.php config Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/search.php?"; nocase; uricontent:"config[installdir]=";
> nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7577; rev:1;)
> 
> 2.       *WEB-PHP WB News archive.php config Parameter Remote File
> Inclusion -1*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News archive.php config Parameter Remote File Inclusion -1";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/archive.php?"; nocase; uricontent:"config[installdir]=";
> nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7578; rev:1;)
> 
> 3.       *WEB-PHP WB News Archive.php config Parameter Remote File
> Inclusion -2*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News Archive.php config Parameter Remote File Inclusion -2";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/base/Archive.php?"; nocase;
> uricontent:"config[installdir]="; nocase;
> pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7579; rev:1;)
> 
> 4.       *WEB-PHP WB News comments.php config Parameter Remote File
> Inclusion -1*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News comments.php config Parameter Remote File Inclusion -1";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/comments.php?"; nocase; uricontent:"config[installdir]=";
> nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7580; rev:1;)
> 
> 5.       *WEB-PHP WB News Comments.php config Parameter Remote File
> Inclusion -2*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News Comments.php config Parameter Remote File Inclusion -2";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/base/Comments.php?"; nocase;
> uricontent:"config[installdir]="; nocase;
> pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7581; rev:1;)
> 
> 6.       *WEB-PHP WB News news.php config Parameter Remote File
> Inclusion -1*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News news.php config Parameter Remote File Inclusion -1";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/news.php?"; nocase; uricontent:"config[installdir]=";
> nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7582; rev:1;)
> 
> 7.       *WEB-PHP WB News News.php config Parameter Remote File
> Inclusion -2*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News News.php config Parameter Remote File Inclusion -2";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/base/News.php?"; nocase; uricontent:"config[installdir]=";
> nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7583; rev:1;)
> 
> 8.       *WEB-PHP WB News SendFriend.php config Parameter Remote File
> Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News SendFriend.php config Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/base/SendFriend.php?"; nocase;
> uricontent:"config[installdir]="; nocase;
> pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,33434;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html;
> sid:7584; rev:1;)
> 
> 9.       *WEB-PHP WB News global.php config Parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WB News global.php config Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/admin/global.php?"; nocase;
> uricontent:"config[installdir]="; nocase;
> pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,secunia.com/advisories/33691;
> reference:url,milw0rm.com/exploits/8026; sid:7585; rev:1;)
> 
> 10.   *WEB-ATTACKS Symantec Security Check RuFSI ActiveX Control Buffer
> Overflow*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Symantec Security Check RuFSI ActiveX Control Buffer Overflow";
> flow:to_client,established; content:"clsid"; nocase;
> content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; distance:0;
> pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si";
> classtype:web-application-attack; reference:bugtraq,8008;
> reference:url,xforce.iss.net/xforce/xfdb/12423;
> reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html;
> sid:7865; rev:1;)
> 
> 11.   *WEB-PHP Dragoon header.inc.php root Parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Dragoon header.inc.php root Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/header.inc.php?"; nocase; uricontent:"root=";
> nocase; pcre:"/root=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/5393; reference:bugtraq,28660;
> sid:7593; rev:1;)
> 
> 12.   *WEB-PHP Flash Quiz num_questions.php quiz Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz num_questions.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/num_questions.php?"; nocase; uricontent:"quiz="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7604; rev:1;)
> 
> 13.   *WEB-PHP Flash Quiz answers.php quiz Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz answers.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/answers.php?"; nocase; uricontent:"quiz="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7605; rev:1;)
> 
> 14.   *WEB-PHP Flash Quiz answers.php order_number Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz answers.php order_number Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/answers.php?"; nocase; uricontent:"order_number="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7606; rev:1;)
> 
> 15.   *WEB-PHP Flash Quiz high_score_web.php quiz Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz high_score_web.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/high_score_web.php?"; nocase; uricontent:"quiz="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7607; rev:1;)
> 
> 16.   *WEB-PHP Flash Quiz results_table_web.php quiz Parameter SQL
> Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz results_table_web.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/results_table_web.php?"; nocase; uricontent:"quiz=";
> nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7608; rev:1;)
> 
> 17.   *WEB-PHP Flash Quiz question.php quiz Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz question.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/question.php?"; nocase; uricontent:"quiz="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7609; rev:1;)
> 
> 18.   *WEB-PHP Flash Quiz question.php order_number Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz question.php order_number Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/question.php?"; nocase; uricontent:"order_number="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7610; rev:1;)
> 
> 19.   *WEB-PHP Flash Quiz high_score.php quiz Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Flash Quiz high_score.php quiz Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/high_score.php?"; nocase; uricontent:"quiz="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759;
> sid:7611; rev:1;)
> 
> 20.   *WEB-ATTACKS Awingsoft Web3D Player Remote Buffer Overflow*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Awingsoft Web3D Player Remote Buffer Overflow";
> flow:to_client,established; content:"clsid"; nocase;
> content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; distance:0;
> content:"SceneURL"; nocase; classtype:web-application-attack;
> reference:url,secunia.com/advisories/35764/;
> reference:url,milw0rm.com/exploits/9116;
> reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html;
> sid:7866; rev:1;)
> 
> Looking forward for your comments, if any...
>  
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Thu Sep  3 10:46:06 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 03 Sep 2009 10:46:06 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <1251984455.6560.1.camel@kinta>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>
	<1251984455.6560.1.camel@kinta>
Message-ID: <4A9FD6AE.7020709@jonkmans.com>

So it would. Doing so, Thanks!

dxp wrote:
> Adding 'depth:5;' to the SITE content match should help with performance
> and FP.
> -  
> 
> -=[ dxp ]=-
> 0xA3F3C6E3
> 
> 
> 
> On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
>> Very fine Frank, thanks for submitting this.  What are your thoughts on 
>> a signature specific to the milw0rm PoC to detect with a greater level 
>> of certainly this PoC being used in the wild.  This would obviously be 
>> in conjunction with your signature, not a replacement for it, but could 
>> be used with perhaps a greater level of confidence to invoke a IDS/IPS 
>> action.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP 
>> Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server; 
>> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV"; 
>> classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; 
>> sid:2009xxxx; rev:0;)
>>
>> -evilghost
>>
>> Frank Knobbe wrote:
>>> Gents,
>>>
>>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>>> IIS FTP Exploit attempt - Large SITE command";
>>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|";
>>> within:150; classtype:attempted-admin;
>>> reference:url,www.milw0rm.com/exploits/9541;
>>> reference:url,doc.emergingthreats.net/2009828;
>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; sid:2009828; rev:2;)
>>>
>>> Seems to test okay for me. But I'm not sure if there are legitimate SITE
>>> commands larger than 150 bytes. Please report any False Positives.
>>>
>>> Thanks,
>>> Frank
>>>
>>>
>>>
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>   
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From kevross33 at googlemail.com  Thu Sep  3 13:05:30 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Sep 2009 18:05:30 +0100
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9FD6AE.7020709@jonkmans.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
Message-ID: <e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>

http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html

Hmm. Seems using SITE may not actually cover the vulnerability. Have a read.
The important bit is:

"We saw some rules that detected the SITE command as the vulnerable
condition for exploitation, this is not where the problem lies. Its in the *
NLST* command when it parses long directory names. The SITE command in the
released exploit (archived on milw0rm) is used to store shellcode into
memory, so it can be egghunted later when the exploit is triggered. While
looking for the SITE command will detect attempts to use *this particular
exploit*, there are plenty of other ways to store your shellcode in memory
before triggering this vulnerability, which would evade anything using the
SITE method for detection."

2009/9/3 Matt Jonkman <jonkman at jonkmans.com>

> So it would. Doing so, Thanks!
>
> dxp wrote:
> > Adding 'depth:5;' to the SITE content match should help with performance
> > and FP.
> > -
> >
> > -=[ dxp ]=-
> > 0xA3F3C6E3
> >
> >
> >
> > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
> >> Very fine Frank, thanks for submitting this.  What are your thoughts on
> >> a signature specific to the milw0rm PoC to detect with a greater level
> >> of certainly this PoC being used in the wild.  This would obviously be
> >> in conjunction with your signature, not a replacement for it, but could
> >> be used with perhaps a greater level of confidence to invoke a IDS/IPS
> >> action.
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
> >> Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server;
> >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
> >> classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541;
> >> sid:2009xxxx; rev:0;)
> >>
> >> -evilghost
> >>
> >> Frank Knobbe wrote:
> >>> Gents,
> >>>
> >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
> >>>
> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
> >>> IIS FTP Exploit attempt - Large SITE command";
> >>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d
> 0a|";
> >>> within:150; classtype:attempted-admin;
> >>> reference:url,www.milw0rm.com/exploits/9541;
> >>> reference:url,doc.emergingthreats.net/2009828;
> >>> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
> sid:2009828; rev:2;)
> >>>
> >>> Seems to test okay for me. But I'm not sure if there are legitimate
> SITE
> >>> commands larger than 150 bytes. Please report any False Positives.
> >>>
> >>> Thanks,
> >>> Frank
> >>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/6f1d74b0/attachment.html

From evilghost at packetmail.net  Thu Sep  3 13:07:07 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 3 Sep 2009 12:07:07 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <1251755569.42741.11.camel@localhost>
References: <1251755569.42741.11.camel@localhost>
Message-ID: <4A9FF7BB.3060207@packetmail.net>

A slight change to this signature due to the recommendations on the 
Snort-VRT blog to use the isdataat function.  Added 
isdataat:100,relative, depth:5, and incremented the revision number:

tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP 
Exploit attempt - Large SITE command"; flow:established,to_server; 
content:"SITE "; nocase; depth:5; isdataat:100,relative; content:!"|0d 
0a|"; within:100; classtype:attempted-admin; 
reference:url,www.milw0rm.com/exploits/9541; 
reference:url,doc.emergingthreats.net/2009828; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; 
sid:2009828; rev:4;)

Comments/grips welcome :)

-evilghost


Frank Knobbe wrote:
> Gents,
>
> I committed this sig to catch the milw0rm IIS-FTP exploit:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
> IIS FTP Exploit attempt - Large SITE command";
> flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|";
> within:150; classtype:attempted-admin;
> reference:url,www.milw0rm.com/exploits/9541;
> reference:url,doc.emergingthreats.net/2009828;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; sid:2009828; rev:2;)
>
> Seems to test okay for me. But I'm not sure if there are legitimate SITE
> commands larger than 150 bytes. Please report any False Positives.
>
> Thanks,
> Frank
>
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   

From kevross33 at googlemail.com  Thu Sep  3 13:10:24 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Sep 2009 18:10:24 +0100
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9FF7BB.3060207@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9FF7BB.3060207@packetmail.net>
Message-ID: <e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>

shouldn't it be using the NLST command; not site? Like so. I thought that
was what the sourcefire blog was hinting to us lol :) SITE would detect the
specific exploit, not the vulnerability.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS
FTP Exploit attempt - Large NLST command"; flow:established,to_server;
content:"NLST "; nocase; depth:5; isdataat:100,relative; content:!"|0d 0a|";
within:100; classtype:attempted-admin; reference:url,
www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828;
reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
sid:2009828; rev:4;)

2009/9/3 evilghost at packetmail.net <evilghost at packetmail.net>

> A slight change to this signature due to the recommendations on the
> Snort-VRT blog to use the isdataat function.  Added
> isdataat:100,relative, depth:5, and incremented the revision number:
>
> tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP
> Exploit attempt - Large SITE command"; flow:established,to_server;
> content:"SITE "; nocase; depth:5; isdataat:100,relative; content:!"|0d
> 0a|"; within:100; classtype:attempted-admin;
> reference:url,www.milw0rm.com/exploits/9541;
> reference:url,doc.emergingthreats.net/2009828;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
> sid:2009828; rev:4;)
>
> Comments/grips welcome :)
>
> -evilghost
>
>
> Frank Knobbe wrote:
> > Gents,
> >
> > I committed this sig to catch the milw0rm IIS-FTP exploit:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
> > IIS FTP Exploit attempt - Large SITE command";
> > flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|";
> > within:150; classtype:attempted-admin;
> > reference:url,www.milw0rm.com/exploits/9541;
> > reference:url,doc.emergingthreats.net/2009828;
> > reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
> sid:2009828; rev:2;)
> >
> > Seems to test okay for me. But I'm not sure if there are legitimate SITE
> > commands larger than 150 bytes. Please report any False Positives.
> >
> > Thanks,
> > Frank
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/be17e438/attachment.html

From evilghost at packetmail.net  Thu Sep  3 13:11:30 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 3 Sep 2009 12:11:30 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>
	<1251984455.6560.1.camel@kinta>	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
Message-ID: <4A9FF8C2.3050205@packetmail.net>

Kevin I had submitted this signature earlier in the week but didn't get 
any response.  Just added isdataat and depth to help performance/FP.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)

-evilghost

Kevin Ross wrote:
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>
> Hmm. Seems using SITE may not actually cover the vulnerability. Have a 
> read. The important bit is:
>
> "We saw some rules that detected the SITE command as the vulnerable 
> condition for exploitation, this is not where the problem lies. Its in 
> the *NLST* command when it parses long directory names. The SITE 
> command in the released exploit (archived on milw0rm) is used to store 
> shellcode into memory, so it can be egghunted later when the exploit 
> is triggered. While looking for the SITE command will detect attempts 
> to use *this particular exploit*, there are plenty of other ways to 
> store your shellcode in memory before triggering this vulnerability, 
> which would evade anything using the SITE method for detection."
>
> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>
>
>     So it would. Doing so, Thanks!
>
>     dxp wrote:
>     > Adding 'depth:5;' to the SITE content match should help with
>     performance
>     > and FP.
>     > -
>     >
>     > -=[ dxp ]=-
>     > 0xA3F3C6E3
>     >
>     >
>     >
>     > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net> wrote:
>     >> Very fine Frank, thanks for submitting this.  What are your
>     thoughts on
>     >> a signature specific to the milw0rm PoC to detect with a
>     greater level
>     >> of certainly this PoC being used in the wild.  This would
>     obviously be
>     >> in conjunction with your signature, not a replacement for it,
>     but could
>     >> be used with perhaps a greater level of confidence to invoke a
>     IDS/IPS
>     >> action.
>     >>
>     >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit
>     IIS FTP
>     >> Exploit - Large SITE Command, milw0rm PoC";
>     flow:established,to_server;
>     >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>     >> classtype:attempted-admin;
>     reference:url,www.milw0rm.com/exploits/9541
>     <http://www.milw0rm.com/exploits/9541>;
>     >> sid:2009xxxx; rev:0;)
>     >>
>     >> -evilghost
>     >>
>     >> Frank Knobbe wrote:
>     >>> Gents,
>     >>>
>     >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>     >>>
>     >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT
>     Possible
>     >>> IIS FTP Exploit attempt - Large SITE command";
>     >>> flow:established,to_server; content:"SITE "; nocase;
>     content:!"|0d 0a|";
>     >>> within:150; classtype:attempted-admin;
>     >>> reference:url,www.milw0rm.com/exploits/9541
>     <http://www.milw0rm.com/exploits/9541>;
>     >>> reference:url,doc.emergingthreats.net/2009828
>     <http://doc.emergingthreats.net/2009828>;
>     >>>
>     reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
>     <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP>;
>     sid:2009828; rev:2;)
>     >>>
>     >>> Seems to test okay for me. But I'm not sure if there are
>     legitimate SITE
>     >>> commands larger than 150 bytes. Please report any False Positives.
>     >>>
>     >>> Thanks,
>     >>> Frank
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     ------------------------------------------------------------------------
>     >>>
>     >>> _______________________________________________
>     >>> Emerging-sigs mailing list
>     >>> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>
>     >> _______________________________________________
>     >> Emerging-sigs mailing list
>     >> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >>
>     ------------------------------------------------------------------------
>     >>
>     >> _______________________________________________
>     >> Emerging-sigs mailing list
>     >> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Open Information Security Foundation (OISF)
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     http://www.openinformationsecurityfoundation.org
>     --------------------------------------------
>
>     PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/b9a4e0a2/attachment-0001.html

From kevross33 at googlemail.com  Thu Sep  3 13:13:48 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Sep 2009 18:13:48 +0100
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9FF7BB.3060207@packetmail.net>
	<e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>
Message-ID: <e75cc74a0909031013x4e04d56ava25f13ad30eb4e67@mail.gmail.com>

http://tools.cisco.com/security/center/viewAlert.x?alertId=18951

Cisco on it. See again it mentions NLST not site. Also added in this
reference as it is pretty good.

2009/9/3 Kevin Ross <kevross33 at googlemail.com>

> shouldn't it be using the NLST command; not site? Like so. I thought that
> was what the sourcefire blog was hinting to us lol :) SITE would detect the
> specific exploit, not the vulnerability.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS
> FTP Exploit attempt - Large NLST command"; flow:established,to_server;
> content:"NLST "; nocase; depth:5; isdataat:100,relative; content:!"|0d 0a|";
> within:100; classtype:attempted-admin; reference:url,
> www.milw0rm.com/exploits/9541; reference:url,
> doc.emergingthreats.net/2009828; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
> reference:url,
> http://tools.cisco.com/security/center/viewAlert.x?alertId=18951;
> sid:2009828; rev:4;)
>
> 2009/9/3 evilghost at packetmail.net <evilghost at packetmail.net>
>
> A slight change to this signature due to the recommendations on the
>> Snort-VRT blog to use the isdataat function.  Added
>> isdataat:100,relative, depth:5, and incremented the revision number:
>>
>> tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP
>> Exploit attempt - Large SITE command"; flow:established,to_server;
>> content:"SITE "; nocase; depth:5; isdataat:100,relative; content:!"|0d
>> 0a|"; within:100; classtype:attempted-admin;
>> reference:url,www.milw0rm.com/exploits/9541;
>> reference:url,doc.emergingthreats.net/2009828;
>> reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>> sid:2009828; rev:4;)
>>
>> Comments/grips welcome :)
>>
>> -evilghost
>>
>>
>> Frank Knobbe wrote:
>> > Gents,
>> >
>> > I committed this sig to catch the milw0rm IIS-FTP exploit:
>> >
>> > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>> > IIS FTP Exploit attempt - Large SITE command";
>> > flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|";
>> > within:150; classtype:attempted-admin;
>> > reference:url,www.milw0rm.com/exploits/9541;
>> > reference:url,doc.emergingthreats.net/2009828;
>> > reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>> sid:2009828; rev:2;)
>> >
>> > Seems to test okay for me. But I'm not sure if there are legitimate SITE
>> > commands larger than 150 bytes. Please report any False Positives.
>> >
>> > Thanks,
>> > Frank
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/d4153667/attachment.html

From eslerj at gmail.com  Thu Sep  3 13:16:41 2009
From: eslerj at gmail.com (Joel Esler)
Date: Thu, 3 Sep 2009 13:16:41 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <e75cc74a0909031013x4e04d56ava25f13ad30eb4e67@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9FF7BB.3060207@packetmail.net>
	<e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>
	<e75cc74a0909031013x4e04d56ava25f13ad30eb4e67@mail.gmail.com>
Message-ID: <314cf0830909031016v3b288f4am36e8e09fab9cb3ef@mail.gmail.com>

I'll post it again.
http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html

<http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html>There
are rules, so old, they are in the FREE set, like, pre vrt license set.
 Like, pre bleeding snort ever existed set.  Plus, the preprocessor does
this for you.  Always has -- by default.

J

On Thu, Sep 3, 2009 at 1:13 PM, Kevin Ross <kevross33 at googlemail.com> wrote:

> http://tools.cisco.com/security/center/viewAlert.x?alertId=18951
>
> Cisco on it. See again it mentions NLST not site. Also added in this
> reference as it is pretty good.
>
> 2009/9/3 Kevin Ross <kevross33 at googlemail.com>
>
>> shouldn't it be using the NLST command; not site? Like so. I thought that
>> was what the sourcefire blog was hinting to us lol :) SITE would detect the
>> specific exploit, not the vulnerability.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS
>> FTP Exploit attempt - Large NLST command"; flow:established,to_server;
>> content:"NLST "; nocase; depth:5; isdataat:100,relative; content:!"|0d 0a|";
>> within:100; classtype:attempted-admin; reference:url,
>> www.milw0rm.com/exploits/9541; reference:url,
>> doc.emergingthreats.net/2009828; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>> reference:url,
>> http://tools.cisco.com/security/center/viewAlert.x?alertId=18951;
>> sid:2009828; rev:4;)
>>
>>
>> 2009/9/3 evilghost at packetmail.net <evilghost at packetmail.net>
>>
>> A slight change to this signature due to the recommendations on the
>>> Snort-VRT blog to use the isdataat function.  Added
>>> isdataat:100,relative, depth:5, and incremented the revision number:
>>>
>>> tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP
>>> Exploit attempt - Large SITE command"; flow:established,to_server;
>>> content:"SITE "; nocase; depth:5; isdataat:100,relative; content:!"|0d
>>> 0a|"; within:100; classtype:attempted-admin;
>>> reference:url,www.milw0rm.com/exploits/9541;
>>> reference:url,doc.emergingthreats.net/2009828;
>>> reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>>> sid:2009828; rev:4;)
>>>
>>> Comments/grips welcome :)
>>>
>>> -evilghost
>>>
>>>
>>> Frank Knobbe wrote:
>>> > Gents,
>>> >
>>> > I committed this sig to catch the milw0rm IIS-FTP exploit:
>>> >
>>> > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>>> > IIS FTP Exploit attempt - Large SITE command";
>>> > flow:established,to_server; content:"SITE "; nocase; content:!"|0d
>>> 0a|";
>>> > within:150; classtype:attempted-admin;
>>> > reference:url,www.milw0rm.com/exploits/9541;
>>> > reference:url,doc.emergingthreats.net/2009828;
>>> > reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>>> sid:2009828; rev:2;)
>>> >
>>> > Seems to test okay for me. But I'm not sure if there are legitimate
>>> SITE
>>> > commands larger than 150 bytes. Please report any False Positives.
>>> >
>>> > Thanks,
>>> > Frank
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------
>>> >
>>> > _______________________________________________
>>> > Emerging-sigs mailing list
>>> > Emerging-sigs at emergingthreats.net
>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/6f2d965a/attachment.html

From frank at knobbe.us  Thu Sep  3 13:21:59 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 3 Sep 2009 12:21:59 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net>
	<1251984455.6560.1.camel@kinta> <4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
Message-ID: <20090903172159.GB21340@knobbe.us>

On Thu, Sep 03, 2009 at 06:05:30PM +0100, Kevin Ross wrote:
> Hmm. Seems using SITE may not actually cover the vulnerability. Have a read.
> The important bit is:

Right, we know that and discussed it.

Ideally we need a signature for overflow attempts for every command. But
since they are already in the Snort distribution, I'm not sure how much
of a duplication that would be.

The thing with the NLIST sig is that the argument is not quite so long.
The problem is not the length, but the malformed content. So creating a sig
for a long argument of NLIST is not completel accurate. The sig should
check for abnormal characters (those that are not valid for file names).

But again, I think overflow sigs for SITE, NLIST, and every other FTP 
command would be good, even though it's duplicating existing Snort sigs.

Cheers,
Frank


From kevross33 at googlemail.com  Thu Sep  3 13:35:34 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Sep 2009 18:35:34 +0100
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9FF8C2.3050205@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net>
Message-ID: <e75cc74a0909031035l163d6b57mbdecaeddef22cacf@mail.gmail.com>

Ah, see I have just joined in when I read the blog and remembered the sig
that was added was for the SITE version. Aso the VRT blog made some very
snort specific recommendations and in bold had a few things that might have
been wrong lol. I am not any good yet at writing buffer/stack/heap
overflows/underflows etc yet so I didn't even bother making an attempt at
this.

2009/9/3 evilghost at packetmail.net <evilghost at packetmail.net>

>  Kevin I had submitted this signature earlier in the week but didn't get
> any response.  Just added isdataat and depth to help performance/FP.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)
>
> -evilghost
>
> Kevin Ross wrote:
>
>
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>
> Hmm. Seems using SITE may not actually cover the vulnerability. Have a
> read. The important bit is:
>
> "We saw some rules that detected the SITE command as the vulnerable
> condition for exploitation, this is not where the problem lies. Its in the
> *NLST* command when it parses long directory names. The SITE command in
> the released exploit (archived on milw0rm) is used to store shellcode into
> memory, so it can be egghunted later when the exploit is triggered. While
> looking for the SITE command will detect attempts to use *this particular
> exploit*, there are plenty of other ways to store your shellcode in memory
> before triggering this vulnerability, which would evade anything using the
> SITE method for detection."
>
> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com>
>
>> So it would. Doing so, Thanks!
>>
>> dxp wrote:
>> > Adding 'depth:5;' to the SITE content match should help with performance
>> > and FP.
>> > -
>> >
>> > -=[ dxp ]=-
>> > 0xA3F3C6E3
>> >
>> >
>> >
>> > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
>> >> Very fine Frank, thanks for submitting this.  What are your thoughts on
>> >> a signature specific to the milw0rm PoC to detect with a greater level
>> >> of certainly this PoC being used in the wild.  This would obviously be
>> >> in conjunction with your signature, not a replacement for it, but could
>> >> be used with perhaps a greater level of confidence to invoke a IDS/IPS
>> >> action.
>> >>
>> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
>> >> Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server;
>> >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>> >> classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541
>> ;
>> >> sid:2009xxxx; rev:0;)
>> >>
>> >> -evilghost
>> >>
>> >> Frank Knobbe wrote:
>> >>> Gents,
>> >>>
>> >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>> >>>
>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>> >>> IIS FTP Exploit attempt - Large SITE command";
>> >>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d
>> 0a|";
>> >>> within:150; classtype:attempted-admin;
>> >>> reference:url,www.milw0rm.com/exploits/9541;
>> >>> reference:url,doc.emergingthreats.net/2009828;
>> >>> reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>> sid:2009828; rev:2;)
>> >>>
>> >>> Seems to test okay for me. But I'm not sure if there are legitimate
>> SITE
>> >>> commands larger than 150 bytes. Please report any False Positives.
>> >>>
>> >>> Thanks,
>> >>> Frank
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> ------------------------------------------------------------------------
>> >>>
>> >>> _______________________________________________
>> >>> Emerging-sigs mailing list
>> >>> Emerging-sigs at emergingthreats.net
>> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>  --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
> ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/bd01541a/attachment-0001.html

From kevross33 at googlemail.com  Thu Sep  3 13:43:24 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Sep 2009 18:43:24 +0100
Subject: [Emerging-Sigs] PPStream Buffer Overflow sig
Message-ID: <e75cc74a0909031043l1532581focfa7b7e9ef3f884c@mail.gmail.com>

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_ACTIVEX
Possible PPStream MList.ocx Buffer Overflow Attempt";
flow:from_server,established; content:"clsid"; nocase;
content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; distance:0;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/36234/info;
sid:15000001; rev:1;)

Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/a71cb618/attachment.html

From jonkman at jonkmans.com  Thu Sep  3 15:51:35 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 03 Sep 2009 15:51:35 -0400
Subject: [Emerging-Sigs] PPStream Buffer Overflow sig
In-Reply-To: <e75cc74a0909031043l1532581focfa7b7e9ef3f884c@mail.gmail.com>
References: <e75cc74a0909031043l1532581focfa7b7e9ef3f884c@mail.gmail.com>
Message-ID: <4AA01E47.3060300@jonkmans.com>

Posted, thanks Kevin!

Kevin Ross wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_ACTIVEX
> Possible PPStream MList.ocx Buffer Overflow Attempt";
> flow:from_server,established; content:"clsid"; nocase;
> content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; distance:0;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si";
> classtype:attempted-user;
> reference:url,www.securityfocus.com/bid/36234/info
> <http://www.securityfocus.com/bid/36234/info>; sid:15000001; rev:1;)
> 
> Kev
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From emerging at emergingthreats.net  Thu Sep  3 16:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu,  3 Sep 2009 16:00:13 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090903200013.61FDD4504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu Sep  3 16:00:13 2009 [***]

[+++]          Added rules:          [+++]

 2009838 - ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009839 - ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009840 - ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009841 - ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009842 - ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009843 - ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009844 - ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009845 - ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009846 - ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009847 - ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow (emerging-web.rules)
 2009849 - ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009850 - ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009851 - ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009852 - ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009853 - ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009854 - ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009855 - ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009856 - ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009857 - ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow (emerging-web.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (19):
        2009838 || ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009839 || ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009840 || ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009841 || ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009842 || ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009843 || ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009844 || ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009845 || ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009846 || ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion || url,milw0rm.com/exploits/8026 || url,secunia.com/advisories/33691
        2009847 || ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln8008.html || url,xforce.iss.net/xforce/xfdb/12423 || bugtraq,8008
        2009849 || ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009850 || ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009851 || ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009852 || ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009853 || ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009854 || ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009855 || ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009856 || ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009857 || ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow || url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html || url,milw0rm.com/exploits/9116 || url,secunia.com/advisories/35764/

     -> Added to emerging-sid-msg.map.txt (19):
        2009838 || ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009839 || ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009840 || ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009841 || ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009842 || ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009843 || ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009844 || ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009845 || ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009846 || ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion || url,milw0rm.com/exploits/8026 || url,secunia.com/advisories/33691
        2009847 || ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln8008.html || url,xforce.iss.net/xforce/xfdb/12423 || bugtraq,8008
        2009849 || ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009850 || ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009851 || ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009852 || ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009853 || ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009854 || ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009855 || ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009856 || ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009857 || ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow || url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html || url,milw0rm.com/exploits/9116 || url,secunia.com/advisories/35764/

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (102):
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500346 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500347 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510346 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510347 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (102):
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500346 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500347 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510346 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510347 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From unsignedlong at gmail.com  Thu Sep  3 19:23:33 2009
From: unsignedlong at gmail.com (Jim Trexler)
Date: Thu, 3 Sep 2009 19:23:33 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <20090903172159.GB21340@knobbe.us>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<20090903172159.GB21340@knobbe.us>
Message-ID: <c94f1fa20909031623p339497e1jc2ca6ace4bf61aca@mail.gmail.com>

  Frank is correct.  The size matters on the SITE command but the wildcards
(* and ?)matter on the NLST command (which hasn't 'emerged' yet).   If you
see both fire then you have a more solid event than just one.

         jim


On Thu, Sep 3, 2009 at 1:21 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Thu, Sep 03, 2009 at 06:05:30PM +0100, Kevin Ross wrote:
> > Hmm. Seems using SITE may not actually cover the vulnerability. Have a
> read.
> > The important bit is:
>
> Right, we know that and discussed it.
>
> Ideally we need a signature for overflow attempts for every command. But
> since they are already in the Snort distribution, I'm not sure how much
> of a duplication that would be.
>
> The thing with the NLIST sig is that the argument is not quite so long.
> The problem is not the length, but the malformed content. So creating a sig
> for a long argument of NLIST is not completel accurate. The sig should
> check for abnormal characters (those that are not valid for file names).
>
> But again, I think overflow sigs for SITE, NLIST, and every other FTP
> command would be good, even though it's duplicating existing Snort sigs.
>
> Cheers,
> Frank
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/53d454aa/attachment.html

From evilghost at packetmail.net  Thu Sep  3 22:02:34 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 3 Sep 2009 21:02:34 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4A9FF8C2.3050205@packetmail.net>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>
	<1251984455.6560.1.camel@kinta>	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net>
Message-ID: <4AA0753A.7040407@packetmail.net>

I don't understand why this rule is continued to be rejected/ignored.  
Help me understand what's deficient with it please so that improvements 
can be made as well as to better my own understating.  There is 
continued talk of using the NLST command as the root vulnerability 
versus detecting overflow in SITE (shell-code push vector) so I offered 
this signature.  I'm not beating my chest just concerned with the lack 
of response.  If I'm doing something wrong let me know :)

My understanding of the isdataat command shown in rev:1 of this rule to 
be using the correct syntax.  In this particular rule the string after 
NLST should be 100 bytes for a total byte size of 105 , if we want it 
hard-set at 100 bytes we'll need to remove the 'relative' option.  Even 
http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to indicate 
the proposed signature is acceptable (based on my understanding of the 
exploit vector)

Finally, I should add, I don't work for VRT/SourceFire.

Thanks,
evilghost

evilghost at packetmail.net wrote:
> Kevin I had submitted this signature earlier in the week but didn't 
> get any response.  Just added isdataat and depth to help performance/FP.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)
> -evilghost
>
> Kevin Ross wrote:
>> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>>
>> Hmm. Seems using SITE may not actually cover the vulnerability. Have 
>> a read. The important bit is:
>>
>> "We saw some rules that detected the SITE command as the vulnerable 
>> condition for exploitation, this is not where the problem lies. Its 
>> in the *NLST* command when it parses long directory names. The SITE 
>> command in the released exploit (archived on milw0rm) is used to 
>> store shellcode into memory, so it can be egghunted later when the 
>> exploit is triggered. While looking for the SITE command will detect 
>> attempts to use *this particular exploit*, there are plenty of other 
>> ways to store your shellcode in memory before triggering this 
>> vulnerability, which would evade anything using the SITE method for 
>> detection."
>>
>> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com 
>> <mailto:jonkman at jonkmans.com>>
>>
>>     So it would. Doing so, Thanks!
>>
>>     dxp wrote:
>>     > Adding 'depth:5;' to the SITE content match should help with
>>     performance
>>     > and FP.
>>     > -
>>     >
>>     > -=[ dxp ]=-
>>     > 0xA3F3C6E3
>>     >
>>     >
>>     >
>>     > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net
>>     <mailto:evilghost at packetmail.net> wrote:
>>     >> Very fine Frank, thanks for submitting this.  What are your
>>     thoughts on
>>     >> a signature specific to the milw0rm PoC to detect with a
>>     greater level
>>     >> of certainly this PoC being used in the wild.  This would
>>     obviously be
>>     >> in conjunction with your signature, not a replacement for it,
>>     but could
>>     >> be used with perhaps a greater level of confidence to invoke a
>>     IDS/IPS
>>     >> action.
>>     >>
>>     >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit
>>     IIS FTP
>>     >> Exploit - Large SITE Command, milw0rm PoC";
>>     flow:established,to_server;
>>     >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>>     >> classtype:attempted-admin;
>>     reference:url,www.milw0rm.com/exploits/9541
>>     <http://www.milw0rm.com/exploits/9541>;
>>     >> sid:2009xxxx; rev:0;)
>>     >>
>>     >> -evilghost
>>     >>
>>     >> Frank Knobbe wrote:
>>     >>> Gents,
>>     >>>
>>     >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>>     >>>
>>     >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT
>>     Possible
>>     >>> IIS FTP Exploit attempt - Large SITE command";
>>     >>> flow:established,to_server; content:"SITE "; nocase;
>>     content:!"|0d 0a|";
>>     >>> within:150; classtype:attempted-admin;
>>     >>> reference:url,www.milw0rm.com/exploits/9541
>>     <http://www.milw0rm.com/exploits/9541>;
>>     >>> reference:url,doc.emergingthreats.net/2009828
>>     <http://doc.emergingthreats.net/2009828>;
>>     >>>
>>     reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
>>     <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP>;
>>     sid:2009828; rev:2;)
>>     >>>
>>     >>> Seems to test okay for me. But I'm not sure if there are
>>     legitimate SITE
>>     >>> commands larger than 150 bytes. Please report any False
>>     Positives.
>>     >>>
>>     >>> Thanks,
>>     >>> Frank
>>     >>>
>>     >>>
>>     >>>
>>     >>>
>>     >>>
>>     ------------------------------------------------------------------------
>>     >>>
>>     >>> _______________________________________________
>>     >>> Emerging-sigs mailing list
>>     >>> Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     >>>
>>     >> _______________________________________________
>>     >> Emerging-sigs mailing list
>>     >> Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     >>
>>     >>
>>     ------------------------------------------------------------------------
>>     >>
>>     >> _______________________________________________
>>     >> Emerging-sigs mailing list
>>     >> Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>     --
>>     --------------------------------------------
>>     Matthew Jonkman
>>     Emerging Threats
>>     Open Information Security Foundation (OISF)
>>     Phone 765-429-0398
>>     Fax 312-264-0205
>>     http://www.emergingthreats.net
>>     http://www.openinformationsecurityfoundation.org
>>     --------------------------------------------
>>
>>     PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>     _______________________________________________
>>     Emerging-sigs mailing list
>>     Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/2bd1713f/attachment.html

From frank at knobbe.us  Thu Sep  3 22:19:57 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 03 Sep 2009 21:19:57 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA0753A.7040407@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net>  <4AA0753A.7040407@packetmail.net>
Message-ID: <1252030797.77298.34.camel@server1>

On Thu, 2009-09-03 at 21:02 -0500, evilghost at packetmail.net wrote:
> I don't understand why this rule is continued to be rejected/ignored. 

I'm not ignoring it, I just haven't done any sigs yet. You'll note that
I didn't even add the references to the sigs Matt added recently. (I'm
off today and tomorrow, and was trying not to use the computer too much.
Yard work awaits tomorrow)

Here, I'll add it real quick. I'll add references when I'm back at work,
Saturday.

>  Help me understand what's deficient with it please so that
> improvements can be made as well as to better my own understating.
> There is continued talk of using the NLST command as the root
> vulnerability versus detecting overflow in SITE (shell-code push
> vector) so I offered this signature. 

Is 100 bytes sufficient though? Was that how long the file names are? I
thought the exploit has a much short exploit triggering data packet, but
admit I didn't count.

Also, I'm not sure about the depth 5. If you look at the reassembled
stream, the SITE or NLST command are farther down in the stream, even a
packet, if all data is pushed at once. But I'm sure you tested the
exploit against the sig, so I'm committing as is.

Cheers,
Frank



From evilghost at packetmail.net  Thu Sep  3 22:20:30 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 3 Sep 2009 21:20:30 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <c94f1fa20909031623p339497e1jc2ca6ace4bf61aca@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>	<4A9C5FF2.9090009@packetmail.net>
	<1251984455.6560.1.camel@kinta>	<4A9FD6AE.7020709@jonkmans.com>	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>	<20090903172159.GB21340@knobbe.us>
	<c94f1fa20909031623p339497e1jc2ca6ace4bf61aca@mail.gmail.com>
Message-ID: <4AA0796E.7060702@packetmail.net>

Jim et al, based on my understanding of 
http://www.milw0rm.com/exploits/9559 , 
http://seclists.org/fulldisclosure/2009/Sep/0015.html , and 
http://packetstormsecurity.org/0909-exploits/msiis5-dos.txt the root 
issue is the "*/../" globbing functionality handling present in NLST.  
So, what are thoughts on this signature?  I would imagine it would be 
sufficient to be a direct detection signature for this issue.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; depth:5; content:"|2a 2f 2e 2e 2f|"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)

-evilghost

Jim Trexler wrote:
>   Frank is correct.  The size matters on the SITE command but the 
> wildcards (* and ?)matter on the NLST command (which hasn't 'emerged' 
> yet).   If you see both fire then you have a more solid event than 
> just one.
>
>          jim
>
>
> On Thu, Sep 3, 2009 at 1:21 PM, Frank Knobbe <frank at knobbe.us 
> <mailto:frank at knobbe.us>> wrote:
>
>     On Thu, Sep 03, 2009 at 06:05:30PM +0100, Kevin Ross wrote:
>     > Hmm. Seems using SITE may not actually cover the vulnerability.
>     Have a read.
>     > The important bit is:
>
>     Right, we know that and discussed it.
>
>     Ideally we need a signature for overflow attempts for every
>     command. But
>     since they are already in the Snort distribution, I'm not sure how
>     much
>     of a duplication that would be.
>
>     The thing with the NLIST sig is that the argument is not quite so
>     long.
>     The problem is not the length, but the malformed content. So
>     creating a sig
>     for a long argument of NLIST is not completel accurate. The sig should
>     check for abnormal characters (those that are not valid for file
>     names).
>
>     But again, I think overflow sigs for SITE, NLIST, and every other FTP
>     command would be good, even though it's duplicating existing Snort
>     sigs.
>
>     Cheers,
>     Frank
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090903/16a498f4/attachment-0001.html

From frank at knobbe.us  Thu Sep  3 22:23:12 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Thu, 03 Sep 2009 21:23:12 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA0796E.7060702@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<20090903172159.GB21340@knobbe.us>
	<c94f1fa20909031623p339497e1jc2ca6ace4bf61aca@mail.gmail.com>
	<4AA0796E.7060702@packetmail.net>
Message-ID: <1252030992.77298.35.camel@server1>

On Thu, 2009-09-03 at 21:20 -0500, evilghost at packetmail.net wrote:
> Jim et al, based on my understanding of
> http://www.milw0rm.com/exploits/9559 ,
> http://seclists.org/fulldisclosure/2009/Sep/0015.html , and
> http://packetstormsecurity.org/0909-exploits/msiis5-dos.txt the root
> issue is the "*/../" globbing functionality handling present in NLST.
> So, what are thoughts on this signature?  I would imagine it would be
> sufficient to be a direct detection signature for this issue.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; depth:5; content:"|2a 2f 2e 2e 2f|"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)

Committed. Feel free to test and report results. I'm done for today.

-Frank



From evilghost at packetmail.net  Thu Sep  3 22:23:58 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 3 Sep 2009 21:23:58 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <1252030797.77298.34.camel@server1>
References: <1251755569.42741.11.camel@localhost>	
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>	
	<4A9FD6AE.7020709@jonkmans.com>	
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>	
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<1252030797.77298.34.camel@server1>
Message-ID: <4AA07A3E.9000500@packetmail.net>

No problem, I just heard so many people screaming for *something* and I 
kept trying to give *something*, albeit possibly not as useful as the 
one I just submitted a few seconds ago.  Not hearing back from anybody 
on it made me curious.  Take a look at the one I just submitted as I 
believe it'll cover the DoS as well as exploitation with shellcode.  Thanks.

-evilghost

Frank Knobbe wrote:
> On Thu, 2009-09-03 at 21:02 -0500, evilghost at packetmail.net wrote:
>   
>> I don't understand why this rule is continued to be rejected/ignored. 
>>     
>
> I'm not ignoring it, I just haven't done any sigs yet. You'll note that
> I didn't even add the references to the sigs Matt added recently. (I'm
> off today and tomorrow, and was trying not to use the computer too much.
> Yard work awaits tomorrow)
>
> Here, I'll add it real quick. I'll add references when I'm back at work,
> Saturday.
>
>   
>>  Help me understand what's deficient with it please so that
>> improvements can be made as well as to better my own understating.
>> There is continued talk of using the NLST command as the root
>> vulnerability versus detecting overflow in SITE (shell-code push
>> vector) so I offered this signature. 
>>     
>
> Is 100 bytes sufficient though? Was that how long the file names are? I
> thought the exploit has a much short exploit triggering data packet, but
> admit I didn't count.
>
> Also, I'm not sure about the depth 5. If you look at the reassembled
> stream, the SITE or NLST command are farther down in the stream, even a
> packet, if all data is pushed at once. But I'm sure you tested the
> exploit against the sig, so I'm committing as is.
>
> Cheers,
> Frank
>
>
>   

From eslerj at gmail.com  Fri Sep  4 08:36:15 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Sep 2009 08:36:15 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA0753A.7040407@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
Message-ID: <314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>

It wasn't so much a matter of the rule being rejected, it was a matter of,
"hey, this exploit/attack method is already covered in 5 year old
functionality built into the system".  Writing rules because they *need* to
be written is one thing, writing rules because we *can* is another.
In this case, IMHO, the rules didn't need to be written.  It's a good
exercise to learn how to do it properly (especially the isdataat lesson),
but duplication of work for you, and for your customers is superfluous.

J



On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

>  I don't understand why this rule is continued to be rejected/ignored.
> Help me understand what's deficient with it please so that improvements can
> be made as well as to better my own understating.  There is continued talk
> of using the NLST command as the root vulnerability versus detecting
> overflow in SITE (shell-code push vector) so I offered this signature.  I'm
> not beating my chest just concerned with the lack of response.  If I'm doing
> something wrong let me know :)
>
> My understanding of the isdataat command shown in rev:1 of this rule to be
> using the correct syntax.  In this particular rule the string after NLST
> should be 100 bytes for a total byte size of 105 , if we want it hard-set at
> 100 bytes we'll need to remove the 'relative' option.  Even
> http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to indicate
> the proposed signature is acceptable (based on my understanding of the
> exploit vector)
>
> Finally, I should add, I don't work for VRT/SourceFire.
>
> Thanks,
> evilghost
>
> evilghost at packetmail.net wrote:
>
> Kevin I had submitted this signature earlier in the week but didn't get any
> response.  Just added isdataat and depth to help performance/FP.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)
>
> -evilghost
>
> Kevin Ross wrote:
>
>
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>
> Hmm. Seems using SITE may not actually cover the vulnerability. Have a
> read. The important bit is:
>
> "We saw some rules that detected the SITE command as the vulnerable
> condition for exploitation, this is not where the problem lies. Its in the
> *NLST* command when it parses long directory names. The SITE command in
> the released exploit (archived on milw0rm) is used to store shellcode into
> memory, so it can be egghunted later when the exploit is triggered. While
> looking for the SITE command will detect attempts to use *this particular
> exploit*, there are plenty of other ways to store your shellcode in memory
> before triggering this vulnerability, which would evade anything using the
> SITE method for detection."
>
> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com>
>
>> So it would. Doing so, Thanks!
>>
>> dxp wrote:
>> > Adding 'depth:5;' to the SITE content match should help with performance
>> > and FP.
>> > -
>> >
>> > -=[ dxp ]=-
>> > 0xA3F3C6E3
>> >
>> >
>> >
>> > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
>> >> Very fine Frank, thanks for submitting this.  What are your thoughts on
>> >> a signature specific to the milw0rm PoC to detect with a greater level
>> >> of certainly this PoC being used in the wild.  This would obviously be
>> >> in conjunction with your signature, not a replacement for it, but could
>> >> be used with perhaps a greater level of confidence to invoke a IDS/IPS
>> >> action.
>> >>
>> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
>> >> Exploit - Large SITE Command, milw0rm PoC"; flow:established,to_server;
>> >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>> >> classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541
>> ;
>> >> sid:2009xxxx; rev:0;)
>> >>
>> >> -evilghost
>> >>
>> >> Frank Knobbe wrote:
>> >>> Gents,
>> >>>
>> >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>> >>>
>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>> >>> IIS FTP Exploit attempt - Large SITE command";
>> >>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d
>> 0a|";
>> >>> within:150; classtype:attempted-admin;
>> >>> reference:url,www.milw0rm.com/exploits/9541;
>> >>> reference:url,doc.emergingthreats.net/2009828;
>> >>> reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>> sid:2009828; rev:2;)
>> >>>
>> >>> Seems to test okay for me. But I'm not sure if there are legitimate
>> SITE
>> >>> commands larger than 150 bytes. Please report any False Positives.
>> >>>
>> >>> Thanks,
>> >>> Frank
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> ------------------------------------------------------------------------
>> >>>
>> >>> _______________________________________________
>> >>> Emerging-sigs mailing list
>> >>> Emerging-sigs at emergingthreats.net
>> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>  --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
> ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/78ef4560/attachment.html

From guise.mcallaster at gmail.com  Fri Sep  4 11:01:10 2009
From: guise.mcallaster at gmail.com (Guise McAllaster)
Date: Fri, 4 Sep 2009 15:01:10 +0000
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
Message-ID: <ab3c24b60909040801t6beb6586s79b2a28fad6ea5ae@mail.gmail.com>

I agree with J here.  Joel, have you tweetz twittered about this yet?
Perhaps that would be a good way to let others know.

One situation where it may be worthwhile though is if you are running a
ruleset where you have removed all the sourcefire/vrt rules.  I know I have
many customers who request that they be removed (to many false positives,
extreme slowness, etc.) and just run the ET set plus the custom rules they
create for their particular needs depending on what assets are being
protected.

Guise

On Fri, Sep 4, 2009 at 12:36 PM, Joel Esler <eslerj at gmail.com> wrote:

> It wasn't so much a matter of the rule being rejected, it was a matter of,
> "hey, this exploit/attack method is already covered in 5 year old
> functionality built into the system".  Writing rules because they *need* to
> be written is one thing, writing rules because we *can* is another.
> In this case, IMHO, the rules didn't need to be written.  It's a good
> exercise to learn how to do it properly (especially the isdataat lesson),
> but duplication of work for you, and for your customers is superfluous.
>
> J
>
>
>
>
> On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net <
> evilghost at packetmail.net> wrote:
>
>>  I don't understand why this rule is continued to be rejected/ignored.
>> Help me understand what's deficient with it please so that improvements can
>> be made as well as to better my own understating.  There is continued talk
>> of using the NLST command as the root vulnerability versus detecting
>> overflow in SITE (shell-code push vector) so I offered this signature.  I'm
>> not beating my chest just concerned with the lack of response.  If I'm doing
>> something wrong let me know :)
>>
>> My understanding of the isdataat command shown in rev:1 of this rule to be
>> using the correct syntax.  In this particular rule the string after NLST
>> should be 100 bytes for a total byte size of 105 , if we want it hard-set at
>> 100 bytes we'll need to remove the 'relative' option.  Even
>> http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to indicate
>> the proposed signature is acceptable (based on my understanding of the
>> exploit vector)
>>
>> Finally, I should add, I don't work for VRT/SourceFire.
>>
>> Thanks,
>> evilghost
>>
>> evilghost at packetmail.net wrote:
>>
>> Kevin I had submitted this signature earlier in the week but didn't get
>> any response.  Just added isdataat and depth to help performance/FP.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)
>>
>> -evilghost
>>
>> Kevin Ross wrote:
>>
>>
>> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>>
>> Hmm. Seems using SITE may not actually cover the vulnerability. Have a
>> read. The important bit is:
>>
>> "We saw some rules that detected the SITE command as the vulnerable
>> condition for exploitation, this is not where the problem lies. Its in the
>> *NLST* command when it parses long directory names. The SITE command in
>> the released exploit (archived on milw0rm) is used to store shellcode into
>> memory, so it can be egghunted later when the exploit is triggered. While
>> looking for the SITE command will detect attempts to use *this particular
>> exploit*, there are plenty of other ways to store your shellcode in
>> memory before triggering this vulnerability, which would evade anything
>> using the SITE method for detection."
>>
>> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com>
>>
>>> So it would. Doing so, Thanks!
>>>
>>> dxp wrote:
>>> > Adding 'depth:5;' to the SITE content match should help with
>>> performance
>>> > and FP.
>>> > -
>>> >
>>> > -=[ dxp ]=-
>>> > 0xA3F3C6E3
>>> >
>>> >
>>> >
>>> > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
>>> >> Very fine Frank, thanks for submitting this.  What are your thoughts
>>> on
>>> >> a signature specific to the milw0rm PoC to detect with a greater level
>>> >> of certainly this PoC being used in the wild.  This would obviously be
>>> >> in conjunction with your signature, not a replacement for it, but
>>> could
>>> >> be used with perhaps a greater level of confidence to invoke a IDS/IPS
>>> >> action.
>>> >>
>>> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
>>> >> Exploit - Large SITE Command, milw0rm PoC";
>>> flow:established,to_server;
>>> >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>>> >> classtype:attempted-admin; reference:url,
>>> www.milw0rm.com/exploits/9541;
>>> >> sid:2009xxxx; rev:0;)
>>> >>
>>> >> -evilghost
>>> >>
>>> >> Frank Knobbe wrote:
>>> >>> Gents,
>>> >>>
>>> >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>>> >>>
>>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible
>>> >>> IIS FTP Exploit attempt - Large SITE command";
>>> >>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d
>>> 0a|";
>>> >>> within:150; classtype:attempted-admin;
>>> >>> reference:url,www.milw0rm.com/exploits/9541;
>>> >>> reference:url,doc.emergingthreats.net/2009828;
>>> >>> reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>>> sid:2009828; rev:2;)
>>> >>>
>>> >>> Seems to test okay for me. But I'm not sure if there are legitimate
>>> SITE
>>> >>> commands larger than 150 bytes. Please report any False Positives.
>>> >>>
>>> >>> Thanks,
>>> >>> Frank
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> ------------------------------------------------------------------------
>>> >>>
>>> >>> _______________________________________________
>>> >>> Emerging-sigs mailing list
>>> >>> Emerging-sigs at emergingthreats.net
>>> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >>>
>>> >> _______________________________________________
>>> >> Emerging-sigs mailing list
>>> >> Emerging-sigs at emergingthreats.net
>>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >>
>>> >>
>>> ------------------------------------------------------------------------
>>> >>
>>> >> _______________________________________________
>>> >> Emerging-sigs mailing list
>>> >> Emerging-sigs at emergingthreats.net
>>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>  --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/e7de3d5e/attachment-0001.html

From evilghost at packetmail.net  Fri Sep  4 11:07:11 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Sep 2009 10:07:11 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>	
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>	
	<4A9FD6AE.7020709@jonkmans.com>	
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>	
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
Message-ID: <4AA12D1F.5050005@packetmail.net>

I have to disagree with this entirely.  Rather than catching this 
exploit in a rather generic overflow signature I find much value in 
identifying the vulnerability correctly.  Not only does this allow one 
to take appropriate action (such as a firewall block) with confidence 
but it also adds specific information to correlation engines or other 
processes.  Being able to identify with confidence that a particular 
system has been or is being targeted by this IIS FTP globbing exploit is 
significantly more valuable than a generic catch-all rule.

There are times where existing rules are sufficient and times where 
construction of a new rule adds value to the community efforts.  I'm not 
writing rules for grins and giggles and I've no illusions that I'll ever 
win a T-Shirt.  To assert that "protection for this already exists" 
based on a legacy VRT rule makes many assumptions and removes the 
ability to manage, at a granular level, specific threats.

Now with that being said, the previous SITE and NLST signatures I wrote 
are inferior to the underlying issue itself, */../, which I wrote a 
signature for and was committed with SID 2009860.

Without trying to sound inflammatory, it's to SourceFires advantage from 
a company/marketing aspect to discredit community efforts so they can 
push their VRT subscriptions.  I do see and am certain I'll see this in 
the future as a selling point for VRT, "Look we had *legacy* VRT 
coverage for this".  Again, there are times in the enterprise where 
identification of specific threats are significantly more valuable than 
a generic behavioral catch-all.  Who knows, perhaps this issue will 
replace the "We had coverage for Blaster the same day!" mantra.

-evilghost



Joel Esler wrote:
> It wasn't so much a matter of the rule being rejected, it was a matter 
> of, "hey, this exploit/attack method is already covered in 5 year old 
> functionality built into the system".  Writing rules because they 
> /need/ to be written is one thing, writing rules because we /can/ is 
> another.  
>
> In this case, IMHO, the rules didn't need to be written.  It's a good 
> exercise to learn how to do it properly (especially the isdataat 
> lesson), but duplication of work for you, and for your customers is 
> superfluous.
>
> J
>
>
>
> On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net> <evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net>> wrote:
>
>     I don't understand why this rule is continued to be
>     rejected/ignored.  Help me understand what's deficient with it
>     please so that improvements can be made as well as to better my
>     own understating.  There is continued talk of using the NLST
>     command as the root vulnerability versus detecting overflow in
>     SITE (shell-code push vector) so I offered this signature.  I'm
>     not beating my chest just concerned with the lack of response.  If
>     I'm doing something wrong let me know :)
>
>     My understanding of the isdataat command shown in rev:1 of this
>     rule to be using the correct syntax.  In this particular rule the
>     string after NLST should be 100 bytes for a total byte size of 105
>     , if we want it hard-set at 100 bytes we'll need to remove the
>     'relative' option.  Even
>     http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to
>     indicate the proposed signature is acceptable (based on my
>     understanding of the exploit vector)
>
>     Finally, I should add, I don't work for VRT/SourceFire.
>
>     Thanks,
>
>     evilghost
>
>     evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
>>     Kevin I had submitted this signature earlier in the week but
>>     didn't get any response.  Just added isdataat and depth to help
>>     performance/FP.
>>
>>     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541 <http://www.milw0rm.com/exploits/9541>; sid:2009xxxx; rev:1;)
>>     -evilghost
>>
>>     Kevin Ross wrote:
>>>     http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>>>
>>>     Hmm. Seems using SITE may not actually cover the vulnerability.
>>>     Have a read. The important bit is:
>>>
>>>     "We saw some rules that detected the SITE command as the
>>>     vulnerable condition for exploitation, this is not where the
>>>     problem lies. Its in the *NLST* command when it parses long
>>>     directory names. The SITE command in the released exploit
>>>     (archived on milw0rm) is used to store shellcode into memory, so
>>>     it can be egghunted later when the exploit is triggered. While
>>>     looking for the SITE command will detect attempts to use *this
>>>     particular exploit*, there are plenty of other ways to store
>>>     your shellcode in memory before triggering this vulnerability,
>>>     which would evade anything using the SITE method for detection."
>>>
>>>     2009/9/3 Matt Jonkman <jonkman at jonkmans.com
>>>     <mailto:jonkman at jonkmans.com>>
>>>
>>>         So it would. Doing so, Thanks!
>>>
>>>         dxp wrote:
>>>         > Adding 'depth:5;' to the SITE content match should help
>>>         with performance
>>>         > and FP.
>>>         > -
>>>         >
>>>         > -=[ dxp ]=-
>>>         > 0xA3F3C6E3
>>>         >
>>>         >
>>>         >
>>>         > On Mon, 2009-08-31 at 18:42 -0500,
>>>         evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>         wrote:
>>>         >> Very fine Frank, thanks for submitting this.  What are
>>>         your thoughts on
>>>         >> a signature specific to the milw0rm PoC to detect with a
>>>         greater level
>>>         >> of certainly this PoC being used in the wild.  This would
>>>         obviously be
>>>         >> in conjunction with your signature, not a replacement for
>>>         it, but could
>>>         >> be used with perhaps a greater level of confidence to
>>>         invoke a IDS/IPS
>>>         >> action.
>>>         >>
>>>         >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
>>>         Exploit IIS FTP
>>>         >> Exploit - Large SITE Command, milw0rm PoC";
>>>         flow:established,to_server;
>>>         >> content:"SITE "; nocase;
>>>         content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>>>         >> classtype:attempted-admin;
>>>         reference:url,www.milw0rm.com/exploits/9541
>>>         <http://www.milw0rm.com/exploits/9541>;
>>>         >> sid:2009xxxx; rev:0;)
>>>         >>
>>>         >> -evilghost
>>>         >>
>>>         >> Frank Knobbe wrote:
>>>         >>> Gents,
>>>         >>>
>>>         >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>>>         >>>
>>>         >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
>>>         EXPLOIT Possible
>>>         >>> IIS FTP Exploit attempt - Large SITE command";
>>>         >>> flow:established,to_server; content:"SITE "; nocase;
>>>         content:!"|0d 0a|";
>>>         >>> within:150; classtype:attempted-admin;
>>>         >>> reference:url,www.milw0rm.com/exploits/9541
>>>         <http://www.milw0rm.com/exploits/9541>;
>>>         >>> reference:url,doc.emergingthreats.net/2009828
>>>         <http://doc.emergingthreats.net/2009828>;
>>>         >>>
>>>         reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
>>>         <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP>;
>>>         sid:2009828; rev:2;)
>>>         >>>
>>>         >>> Seems to test okay for me. But I'm not sure if there are
>>>         legitimate SITE
>>>         >>> commands larger than 150 bytes. Please report any False
>>>         Positives.
>>>         >>>
>>>         >>> Thanks,
>>>         >>> Frank
>>>         >>>
>>>         >>>
>>>         >>>
>>>         >>>
>>>         >>>
>>>         ------------------------------------------------------------------------
>>>         >>>
>>>         >>> _______________________________________________
>>>         >>> Emerging-sigs mailing list
>>>         >>> Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         >>>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>         >>>
>>>         >> _______________________________________________
>>>         >> Emerging-sigs mailing list
>>>         >> Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         >>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>         >>
>>>         >>
>>>         ------------------------------------------------------------------------
>>>         >>
>>>         >> _______________________________________________
>>>         >> Emerging-sigs mailing list
>>>         >> Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         >>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>         --
>>>         --------------------------------------------
>>>         Matthew Jonkman
>>>         Emerging Threats
>>>         Open Information Security Foundation (OISF)
>>>         Phone 765-429-0398
>>>         Fax 312-264-0205
>>>         http://www.emergingthreats.net
>>>         http://www.openinformationsecurityfoundation.org
>>>         --------------------------------------------
>>>
>>>         PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>         _______________________________________________
>>>         Emerging-sigs mailing list
>>>         Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     _______________________________________________
>>>     Emerging-sigs mailing list
>>>     Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>       
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>

From jonkman at jonkmans.com  Fri Sep  4 11:08:11 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 04 Sep 2009 11:08:11 -0400
Subject: [Emerging-Sigs] Suspicious UA
Message-ID: <4AA12D5B.2020305@jonkmans.com>

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Suspicious User-Agent (Mozilla/3.0 (compatible))";
flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0
(compatible)|0d 0a|"; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2009867;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents;
sid:2009867; rev:1;)

Just put this up to test. I suspect that Mozilla/3.0 (compatible) isn't
in normal use anymore, but please let me know about any false positives.

Found several malware samples using this in their initial config gets
and data pushes.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Fri Sep  4 12:36:39 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Sep 2009 12:36:39 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <ab3c24b60909040801t6beb6586s79b2a28fad6ea5ae@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
	<ab3c24b60909040801t6beb6586s79b2a28fad6ea5ae@mail.gmail.com>
Message-ID: <314cf0830909040936n6e2fb900t98d1c71b1bc48b19@mail.gmail.com>

Just as with Emerging, it doesn't help the rules if you just "turn" them
off.  Reporting false positives and slowness only makes things better.
J

On Fri, Sep 4, 2009 at 11:01 AM, Guise McAllaster <
guise.mcallaster at gmail.com> wrote:

> I agree with J here.  Joel, have you tweetz twittered about this yet?
> Perhaps that would be a good way to let others know.
>
> One situation where it may be worthwhile though is if you are running a
> ruleset where you have removed all the sourcefire/vrt rules.  I know I have
> many customers who request that they be removed (to many false positives,
> extreme slowness, etc.) and just run the ET set plus the custom rules they
> create for their particular needs depending on what assets are being
> protected.
>
> Guise
>
>
> On Fri, Sep 4, 2009 at 12:36 PM, Joel Esler <eslerj at gmail.com> wrote:
>
>> It wasn't so much a matter of the rule being rejected, it was a matter of,
>> "hey, this exploit/attack method is already covered in 5 year old
>> functionality built into the system".  Writing rules because they *need* to
>> be written is one thing, writing rules because we *can* is another.
>> In this case, IMHO, the rules didn't need to be written.  It's a good
>> exercise to learn how to do it properly (especially the isdataat lesson),
>> but duplication of work for you, and for your customers is superfluous.
>>
>> J
>>
>>
>>
>>
>> On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net <
>> evilghost at packetmail.net> wrote:
>>
>>>  I don't understand why this rule is continued to be rejected/ignored.
>>> Help me understand what's deficient with it please so that improvements can
>>> be made as well as to better my own understating.  There is continued talk
>>> of using the NLST command as the root vulnerability versus detecting
>>> overflow in SITE (shell-code push vector) so I offered this signature.  I'm
>>> not beating my chest just concerned with the lack of response.  If I'm doing
>>> something wrong let me know :)
>>>
>>> My understanding of the isdataat command shown in rev:1 of this rule to
>>> be using the correct syntax.  In this particular rule the string after NLST
>>> should be 100 bytes for a total byte size of 105 , if we want it hard-set at
>>> 100 bytes we'll need to remove the 'relative' option.  Even
>>> http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to indicate
>>> the proposed signature is acceptable (based on my understanding of the
>>> exploit vector)
>>>
>>> Finally, I should add, I don't work for VRT/SourceFire.
>>>
>>> Thanks,
>>> evilghost
>>>
>>> evilghost at packetmail.net wrote:
>>>
>>> Kevin I had submitted this signature earlier in the week but didn't get
>>> any response.  Just added isdataat and depth to help performance/FP.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5; isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|"; within:100; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:1;)
>>>
>>> -evilghost
>>>
>>> Kevin Ross wrote:
>>>
>>>
>>> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>>>
>>> Hmm. Seems using SITE may not actually cover the vulnerability. Have a
>>> read. The important bit is:
>>>
>>> "We saw some rules that detected the SITE command as the vulnerable
>>> condition for exploitation, this is not where the problem lies. Its in the
>>> *NLST* command when it parses long directory names. The SITE command in
>>> the released exploit (archived on milw0rm) is used to store shellcode into
>>> memory, so it can be egghunted later when the exploit is triggered. While
>>> looking for the SITE command will detect attempts to use *this
>>> particular exploit*, there are plenty of other ways to store your
>>> shellcode in memory before triggering this vulnerability, which would evade
>>> anything using the SITE method for detection."
>>>
>>> 2009/9/3 Matt Jonkman <jonkman at jonkmans.com>
>>>
>>>> So it would. Doing so, Thanks!
>>>>
>>>> dxp wrote:
>>>> > Adding 'depth:5;' to the SITE content match should help with
>>>> performance
>>>> > and FP.
>>>> > -
>>>> >
>>>> > -=[ dxp ]=-
>>>> > 0xA3F3C6E3
>>>> >
>>>> >
>>>> >
>>>> > On Mon, 2009-08-31 at 18:42 -0500, evilghost at packetmail.net wrote:
>>>> >> Very fine Frank, thanks for submitting this.  What are your thoughts
>>>> on
>>>> >> a signature specific to the milw0rm PoC to detect with a greater
>>>> level
>>>> >> of certainly this PoC being used in the wild.  This would obviously
>>>> be
>>>> >> in conjunction with your signature, not a replacement for it, but
>>>> could
>>>> >> be used with perhaps a greater level of confidence to invoke a
>>>> IDS/IPS
>>>> >> action.
>>>> >>
>>>> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
>>>> >> Exploit - Large SITE Command, milw0rm PoC";
>>>> flow:established,to_server;
>>>> >> content:"SITE "; nocase; content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>>>> >> classtype:attempted-admin; reference:url,
>>>> www.milw0rm.com/exploits/9541;
>>>> >> sid:2009xxxx; rev:0;)
>>>> >>
>>>> >> -evilghost
>>>> >>
>>>> >> Frank Knobbe wrote:
>>>> >>> Gents,
>>>> >>>
>>>> >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
>>>> >>>
>>>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT
>>>> Possible
>>>> >>> IIS FTP Exploit attempt - Large SITE command";
>>>> >>> flow:established,to_server; content:"SITE "; nocase; content:!"|0d
>>>> 0a|";
>>>> >>> within:150; classtype:attempted-admin;
>>>> >>> reference:url,www.milw0rm.com/exploits/9541;
>>>> >>> reference:url,doc.emergingthreats.net/2009828;
>>>> >>> reference:url,
>>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP;
>>>> sid:2009828; rev:2;)
>>>> >>>
>>>> >>> Seems to test okay for me. But I'm not sure if there are legitimate
>>>> SITE
>>>> >>> commands larger than 150 bytes. Please report any False Positives.
>>>> >>>
>>>> >>> Thanks,
>>>> >>> Frank
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> ------------------------------------------------------------------------
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> Emerging-sigs mailing list
>>>> >>> Emerging-sigs at emergingthreats.net
>>>> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >>>
>>>> >> _______________________________________________
>>>> >> Emerging-sigs mailing list
>>>> >> Emerging-sigs at emergingthreats.net
>>>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >>
>>>> >>
>>>> ------------------------------------------------------------------------
>>>> >>
>>>> >> _______________________________________________
>>>> >> Emerging-sigs mailing list
>>>> >> Emerging-sigs at emergingthreats.net
>>>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>>  --
>>>> --------------------------------------------
>>>> Matthew Jonkman
>>>> Emerging Threats
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-429-0398
>>>> Fax 312-264-0205
>>>> http://www.emergingthreats.net
>>>> http://www.openinformationsecurityfoundation.org
>>>> --------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/9dce81b4/attachment.html

From eslerj at gmail.com  Fri Sep  4 12:58:45 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Sep 2009 12:58:45 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA12D1F.5050005@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
	<4AA12D1F.5050005@packetmail.net>
Message-ID: <314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>

On Fri, Sep 4, 2009 at 11:07 AM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> I have to disagree with this entirely.  Rather than catching this
> exploit in a rather generic overflow signature I find much value in
> identifying the vulnerability correctly.  Not only does this allow one
> to take appropriate action (such as a firewall block) with confidence
> but it also adds specific information to correlation engines or other
> processes.  Being able to identify with confidence that a particular
> system has been or is being targeted by this IIS FTP globbing exploit is
> significantly more valuable than a generic catch-all rule.
>

The rule that is most relevant (beside the fact that the preprocessor does
this by default), says something like "FTP NLST Buffer Overflow".  That's
what it is!  You shouldn't have false positives on this rule unless it's a
really long NLST buffer string.  It can't get more simpler than that.  It's
pretty specific.  Not arguing the point, just trying to let you know how I
see it from my chair.


> There are times where existing rules are sufficient and times where
> construction of a new rule adds value to the community efforts.  I'm not
> writing rules for grins and giggles and I've no illusions that I'll ever
> win a T-Shirt.  To assert that "protection for this already exists"
> based on a legacy VRT rule makes many assumptions and removes the
> ability to manage, at a granular level, specific threats.
>

It's not so much the rules, its the preprocessor IMO.  The preprocessor was
coded such that a multitude of rules don't have to exist for generic (and
this is generic) ftp command buffer overflow.  In fact, I'm pretty disgusted
that MSFT didn't fuzz this out when the same thing happened to different
commands.  However, I bet that not only they are, but plenty more are now.
 I'd be surprised if this was the last one.

The only rules that are legacy (and I do not speak for the VRT, I don't
presume to, they'd beat me to a pulp if I tried ;) ) are the rules in the
deleted.rules file.  All the other ones are current.  Yes, they may be old,
but obviously in case of this example, they have a function.

Now with that being said, the previous SITE and NLST signatures I wrote
> are inferior to the underlying issue itself, */../, which I wrote a
> signature for and was committed with SID 2009860.
>
> Without trying to sound inflammatory, it's to SourceFires advantage from
> a company/marketing aspect to discredit community efforts so they can
> push their VRT subscriptions.  I do see and am certain I'll see this in
> the future as a selling point for VRT, "Look we had *legacy* VRT
> coverage for this".  Again, there are times in the enterprise where
> identification of specific threats are significantly more valuable than
> a generic behavioral catch-all.  Who knows, perhaps this issue will
> replace the "We had coverage for Blaster the same day!" mantra.
>

I hear what you are saying, and I respect your opinion, you make a good
point.  But, I could understand your point if the rules were subscription.
 But these rules are so old heck they are probably included in the Debian
build of Snort, (I think Debian still includes the really really old rules)
and the preprocessor does it by default, I just am trying to understand the
duplication of work.  Yes, there are times when we have rules in place
(zotob, etc) where, when a rule is written to the vulnerability, then an
exploit or worm comes out later exploiting that vulnerability, yes, it's
advantageous for SF to say "hey, here's these rules, they've been out for
"X", change these rules to drop".  We've even done press releases about it
in the past.

However, I take offense to the point where you say that Sourcefire is trying
to discredit community efforts.  Just the opposite.  Of course it's also
advantageous for us to push the fact that there is a community (and we do),
being that Snort is the largest deployed IDS in the world.  I'm not
discrediting Emerging/Bleeding one little bit.   Sourcefire wouldn't exist
unless it was the community that got it started.  The reason VRT licensing
was developed is a big long story, that basically has to do with IP theft.
 Sourcefire loves its community and you guys may not always see the things
going on in the background (because we are a public company) to help the
future of the Snort community, but trust me, it's there.

If you have a problem with something we are doing, there are avenues to
address it.  Anyone is welcome to email me, or Mike Guiterman (Snort
Community Manager).  If there is a problem.

{BTW -- My email address is jesler [Shift-2] sourcefire {dot} com.  I am
writing to this list from my gmail account, because almost all of my
listserv traffic goes to this account.  I'm not trying to hide behind this
address or anything, don't have any conspiracy theories.  (I know how some
people are touchy about that kind of thing, just trying to respect that.)}

What I am trying to say is, "you guys don't have to do this amount of work".
 If you don't like a "legacy" rules name (what you are saying is generic)
 FTP NLST Buffer Overflow.  Yes, it's generic, but that's what the exploit
is, then take the rule, rename it, move it to local.rules.  Done.  I'm just
trying to help you preserve time & money.  (time = money).

I'm not arguing or trying to start a flame war, just displaying my point of
view.

J




>
> -evilghost
>
>
>
> Joel Esler wrote:
> > It wasn't so much a matter of the rule being rejected, it was a matter
> > of, "hey, this exploit/attack method is already covered in 5 year old
> > functionality built into the system".  Writing rules because they
> > /need/ to be written is one thing, writing rules because we /can/ is
> > another.
> >
> > In this case, IMHO, the rules didn't need to be written.  It's a good
> > exercise to learn how to do it properly (especially the isdataat
> > lesson), but duplication of work for you, and for your customers is
> > superfluous.
> >
> > J
> >
> >
> >
> > On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net
> > <mailto:evilghost at packetmail.net> <evilghost at packetmail.net
> > <mailto:evilghost at packetmail.net>> wrote:
> >
> >     I don't understand why this rule is continued to be
> >     rejected/ignored.  Help me understand what's deficient with it
> >     please so that improvements can be made as well as to better my
> >     own understating.  There is continued talk of using the NLST
> >     command as the root vulnerability versus detecting overflow in
> >     SITE (shell-code push vector) so I offered this signature.  I'm
> >     not beating my chest just concerned with the lack of response.  If
> >     I'm doing something wrong let me know :)
> >
> >     My understanding of the isdataat command shown in rev:1 of this
> >     rule to be using the correct syntax.  In this particular rule the
> >     string after NLST should be 100 bytes for a total byte size of 105
> >     , if we want it hard-set at 100 bytes we'll need to remove the
> >     'relative' option.  Even
> >     http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to
> >     indicate the proposed signature is acceptable (based on my
> >     understanding of the exploit vector)
> >
> >     Finally, I should add, I don't work for VRT/SourceFire.
> >
> >     Thanks,
> >
> >     evilghost
> >
> >     evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
> >>     Kevin I had submitted this signature earlier in the week but
> >>     didn't get any response.  Just added isdataat and depth to help
> >>     performance/FP.
> >>
> >>     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP
> Exploit - NLST"; flow:established,to_server; content:"NLST "; depth:5;
> isdataat:100,relative; nocase; content:"|2a|"; content:!"|0d 0a|";
> within:100; classtype:attempted-admin; reference:url,
> www.milw0rm.com/exploits/9541 <http://www.milw0rm.com/exploits/9541>;
> sid:2009xxxx; rev:1;)
> >>     -evilghost
> >>
> >>     Kevin Ross wrote:
> >>>
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
> >>>
> >>>     Hmm. Seems using SITE may not actually cover the vulnerability.
> >>>     Have a read. The important bit is:
> >>>
> >>>     "We saw some rules that detected the SITE command as the
> >>>     vulnerable condition for exploitation, this is not where the
> >>>     problem lies. Its in the *NLST* command when it parses long
> >>>     directory names. The SITE command in the released exploit
> >>>     (archived on milw0rm) is used to store shellcode into memory, so
> >>>     it can be egghunted later when the exploit is triggered. While
> >>>     looking for the SITE command will detect attempts to use *this
> >>>     particular exploit*, there are plenty of other ways to store
> >>>     your shellcode in memory before triggering this vulnerability,
> >>>     which would evade anything using the SITE method for detection."
> >>>
> >>>     2009/9/3 Matt Jonkman <jonkman at jonkmans.com
> >>>     <mailto:jonkman at jonkmans.com>>
> >>>
> >>>         So it would. Doing so, Thanks!
> >>>
> >>>         dxp wrote:
> >>>         > Adding 'depth:5;' to the SITE content match should help
> >>>         with performance
> >>>         > and FP.
> >>>         > -
> >>>         >
> >>>         > -=[ dxp ]=-
> >>>         > 0xA3F3C6E3
> >>>         >
> >>>         >
> >>>         >
> >>>         > On Mon, 2009-08-31 at 18:42 -0500,
> >>>         evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >>>         wrote:
> >>>         >> Very fine Frank, thanks for submitting this.  What are
> >>>         your thoughts on
> >>>         >> a signature specific to the milw0rm PoC to detect with a
> >>>         greater level
> >>>         >> of certainly this PoC being used in the wild.  This would
> >>>         obviously be
> >>>         >> in conjunction with your signature, not a replacement for
> >>>         it, but could
> >>>         >> be used with perhaps a greater level of confidence to
> >>>         invoke a IDS/IPS
> >>>         >> action.
> >>>         >>
> >>>         >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
> >>>         Exploit IIS FTP
> >>>         >> Exploit - Large SITE Command, milw0rm PoC";
> >>>         flow:established,to_server;
> >>>         >> content:"SITE "; nocase;
> >>>         content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
> >>>         >> classtype:attempted-admin;
> >>>         reference:url,www.milw0rm.com/exploits/9541
> >>>         <http://www.milw0rm.com/exploits/9541>;
> >>>         >> sid:2009xxxx; rev:0;)
> >>>         >>
> >>>         >> -evilghost
> >>>         >>
> >>>         >> Frank Knobbe wrote:
> >>>         >>> Gents,
> >>>         >>>
> >>>         >>> I committed this sig to catch the milw0rm IIS-FTP exploit:
> >>>         >>>
> >>>         >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
> >>>         EXPLOIT Possible
> >>>         >>> IIS FTP Exploit attempt - Large SITE command";
> >>>         >>> flow:established,to_server; content:"SITE "; nocase;
> >>>         content:!"|0d 0a|";
> >>>         >>> within:150; classtype:attempted-admin;
> >>>         >>> reference:url,www.milw0rm.com/exploits/9541
> >>>         <http://www.milw0rm.com/exploits/9541>;
> >>>         >>> reference:url,doc.emergingthreats.net/2009828
> >>>         <http://doc.emergingthreats.net/2009828>;
> >>>         >>>
> >>>         reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
> >>>         <
> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
> >;
> >>>         sid:2009828; rev:2;)
> >>>         >>>
> >>>         >>> Seems to test okay for me. But I'm not sure if there are
> >>>         legitimate SITE
> >>>         >>> commands larger than 150 bytes. Please report any False
> >>>         Positives.
> >>>         >>>
> >>>         >>> Thanks,
> >>>         >>> Frank
> >>>         >>>
> >>>         >>>
> >>>         >>>
> >>>         >>>
> >>>         >>>
> >>>
> ------------------------------------------------------------------------
> >>>         >>>
> >>>         >>> _______________________________________________
> >>>         >>> Emerging-sigs mailing list
> >>>         >>> Emerging-sigs at emergingthreats.net
> >>>         <mailto:Emerging-sigs at emergingthreats.net>
> >>>         >>>
> >>>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>         >>>
> >>>         >> _______________________________________________
> >>>         >> Emerging-sigs mailing list
> >>>         >> Emerging-sigs at emergingthreats.net
> >>>         <mailto:Emerging-sigs at emergingthreats.net>
> >>>         >>
> >>>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>         >>
> >>>         >>
> >>>
> ------------------------------------------------------------------------
> >>>         >>
> >>>         >> _______________________________________________
> >>>         >> Emerging-sigs mailing list
> >>>         >> Emerging-sigs at emergingthreats.net
> >>>         <mailto:Emerging-sigs at emergingthreats.net>
> >>>         >>
> >>>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>>         --
> >>>         --------------------------------------------
> >>>         Matthew Jonkman
> >>>         Emerging Threats
> >>>         Open Information Security Foundation (OISF)
> >>>         Phone 765-429-0398
> >>>         Fax 312-264-0205
> >>>         http://www.emergingthreats.net
> >>>         http://www.openinformationsecurityfoundation.org
> >>>         --------------------------------------------
> >>>
> >>>         PGP: http://www.jonkmans.com/mattjonkman.asc
> >>>
> >>>
> >>>         _______________________________________________
> >>>         Emerging-sigs mailing list
> >>>         Emerging-sigs at emergingthreats.net
> >>>         <mailto:Emerging-sigs at emergingthreats.net>
> >>>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>>     _______________________________________________
> >>>     Emerging-sigs mailing list
> >>>     Emerging-sigs at emergingthreats.net <mailto:
> Emerging-sigs at emergingthreats.net>
> >>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/8c0a89c4/attachment-0001.html

From evilghost at packetmail.net  Fri Sep  4 14:01:33 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Sep 2009 13:01:33 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>	
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>	
	<4A9FD6AE.7020709@jonkmans.com>	
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>	
	<4A9FF8C2.3050205@packetmail.net>
	<4AA0753A.7040407@packetmail.net>	
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>	
	<4AA12D1F.5050005@packetmail.net>
	<314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>
Message-ID: <4AA155FD.1030406@packetmail.net>

Joel, thank you for this response.  I believe that SID 2009860 is 
necessary as it covers the DoS situation in IIS5, IIS6, and IIS7 as well 
as the trigger for code execution.  Prior to this I agree that some of 
the signatures may have been redundant to those already in existence or 
handled by the ftp preprocessor, however, the argument of positive 
granular identification still applies.

Again, without trying to be combative or inflammatory, I think there are 
going to be intrinsic differences between my job, which is to adequately 
secure the enterprise using all tools available to the best level of 
protection and SourceFire, who's job is to support, market, and develop 
a product and a respective ruleset.  Now, please don't infer insult from 
this statement but understand that based on these differences there will 
be some decisions made which will be in disagreement (such as, rule 
redundancy or degraded performance in favor of granular identification) 
due to operational goals.

Now, when I speak of discrediting the community I am speaking 
specifically of the VRT blog article covering the IIS FTP issue and 
discrediting, rather distastefully, the efforts of the ET community 
(implied) to address this.  Rather that identifying room for improvement 
in the signatures and playing nicely with the ET community these gems of 
wisdom were played out on the VRT blog in such as manner as to suggest 
VRT superiority and ET inferiority.  Re-read 
http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html 
and take a while to digest what's being said.  Had this information been 
said on the ET list things would certainly be construed differently (as 
being helpful) than them being touted on the VRT blog which IMHO paints 
SourceFire as being combative and superior with/to community efforts -- 
"look at these guys, they're reinventing the wheel and don't even know 
what they're doing"

Anytime I've said "you" in previous emails, I meant "you" collectively, 
as SourceFire, not Joel specifically, and you've been helpful in the 
past concerning this issue and I agree with your point of "you don't 
have to do this, it's already covered" (albeit again, differences in 
granular identification).  What I take issue to is what is posted on the 
VRT blog.

I hope I've been able to communicate these effectively without implying 
insult.  If I have, I apologize, as that was not the intent.

-evilghost

Joel Esler wrote:
> On Fri, Sep 4, 2009 at 11:07 AM, evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net> <evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net>> wrote:
>
>     I have to disagree with this entirely.  Rather than catching this
>     exploit in a rather generic overflow signature I find much value in
>     identifying the vulnerability correctly.  Not only does this allow one
>     to take appropriate action (such as a firewall block) with confidence
>     but it also adds specific information to correlation engines or other
>     processes.  Being able to identify with confidence that a particular
>     system has been or is being targeted by this IIS FTP globbing
>     exploit is
>     significantly more valuable than a generic catch-all rule.
>
>
> The rule that is most relevant (beside the fact that the preprocessor 
> does this by default), says something like "FTP NLST Buffer Overflow". 
>  That's what it is!  You shouldn't have false positives on this rule 
> unless it's a really long NLST buffer string.  It can't get more 
> simpler than that.  It's pretty specific.  Not arguing the point, just 
> trying to let you know how I see it from my chair.
>  
>
>     There are times where existing rules are sufficient and times where
>     construction of a new rule adds value to the community efforts.
>      I'm not
>     writing rules for grins and giggles and I've no illusions that
>     I'll ever
>     win a T-Shirt.  To assert that "protection for this already exists"
>     based on a legacy VRT rule makes many assumptions and removes the
>     ability to manage, at a granular level, specific threats.
>
>
> It's not so much the rules, its the preprocessor IMO.  The 
> preprocessor was coded such that a multitude of rules don't have to 
> exist for generic (and this is generic) ftp command buffer overflow. 
>  In fact, I'm pretty disgusted that MSFT didn't fuzz this out when the 
> same thing happened to different commands.  However, I bet that not 
> only they are, but plenty more are now.  I'd be surprised if this was 
> the last one.
>
> The only rules that are legacy (and I do not speak for the VRT, I 
> don't presume to, they'd beat me to a pulp if I tried ;) ) are the 
> rules in the deleted.rules file.  All the other ones are current. 
>  Yes, they may be old, but obviously in case of this example, they 
> have a function.
>
>     Now with that being said, the previous SITE and NLST signatures I
>     wrote
>     are inferior to the underlying issue itself, */../, which I wrote a
>     signature for and was committed with SID 2009860.
>
>     Without trying to sound inflammatory, it's to SourceFires
>     advantage from
>     a company/marketing aspect to discredit community efforts so they can
>     push their VRT subscriptions.  I do see and am certain I'll see
>     this in
>     the future as a selling point for VRT, "Look we had *legacy* VRT
>     coverage for this".  Again, there are times in the enterprise where
>     identification of specific threats are significantly more valuable
>     than
>     a generic behavioral catch-all.  Who knows, perhaps this issue will
>     replace the "We had coverage for Blaster the same day!" mantra.
>
>
> I hear what you are saying, and I respect your opinion, you make a 
> good point.  But, I could understand your point if the rules were 
> subscription.  But these rules are so old heck they are probably 
> included in the Debian build of Snort, (I think Debian still includes 
> the really really old rules) and the preprocessor does it by default, 
> I just am trying to understand the duplication of work.  Yes, there 
> are times when we have rules in place (zotob, etc) where, when a rule 
> is written to the vulnerability, then an exploit or worm comes out 
> later exploiting that vulnerability, yes, it's advantageous for SF to 
> say "hey, here's these rules, they've been out for "X", change these 
> rules to drop".  We've even done press releases about it in the past.
>
> However, I take offense to the point where you say that Sourcefire is 
> trying to discredit community efforts.  Just the opposite.  Of course 
> it's also advantageous for us to push the fact that there is a 
> community (and we do), being that Snort is the largest deployed IDS in 
> the world.  I'm not discrediting Emerging/Bleeding one little bit.   
> Sourcefire wouldn't exist unless it was the community that got it 
> started.  The reason VRT licensing was developed is a big long story, 
> that basically has to do with IP theft.  Sourcefire loves its 
> community and you guys may not always see the things going on in the 
> background (because we are a public company) to help the future of the 
> Snort community, but trust me, it's there.
>
> If you have a problem with something we are doing, there are avenues 
> to address it.  Anyone is welcome to email me, or Mike Guiterman 
> (Snort Community Manager).  If there is a problem.  
>
> {BTW -- My email address is jesler [Shift-2] sourcefire {dot} com.  I 
> am writing to this list from my gmail account, because almost all of 
> my listserv traffic goes to this account.  I'm not trying to hide 
> behind this address or anything, don't have any conspiracy theories. 
>  (I know how some people are touchy about that kind of thing, just 
> trying to respect that.)}
>
> What I am trying to say is, "you guys don't have to do this amount of 
> work".  If you don't like a "legacy" rules name (what you are saying 
> is generic)  FTP NLST Buffer Overflow.  Yes, it's generic, but that's 
> what the exploit is, then take the rule, rename it, move it to 
> local.rules.  Done.  I'm just trying to help you preserve time & 
> money.  (time = money).  
>
> I'm not arguing or trying to start a flame war, just displaying my 
> point of view.
>
> J
>
>
>  
>
>
>     -evilghost
>
>
>
>     Joel Esler wrote:
>     > It wasn't so much a matter of the rule being rejected, it was a
>     matter
>     > of, "hey, this exploit/attack method is already covered in 5
>     year old
>     > functionality built into the system".  Writing rules because they
>     > /need/ to be written is one thing, writing rules because we /can/ is
>     > another.
>     >
>     > In this case, IMHO, the rules didn't need to be written.  It's a
>     good
>     > exercise to learn how to do it properly (especially the isdataat
>     > lesson), but duplication of work for you, and for your customers is
>     > superfluous.
>     >
>     > J
>     >
>     >
>     >
>     > On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>
>     > <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>> <evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>
>     > <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>>> wrote:
>     >
>     >     I don't understand why this rule is continued to be
>     >     rejected/ignored.  Help me understand what's deficient with it
>     >     please so that improvements can be made as well as to better my
>     >     own understating.  There is continued talk of using the NLST
>     >     command as the root vulnerability versus detecting overflow in
>     >     SITE (shell-code push vector) so I offered this signature.  I'm
>     >     not beating my chest just concerned with the lack of
>     response.  If
>     >     I'm doing something wrong let me know :)
>     >
>     >     My understanding of the isdataat command shown in rev:1 of this
>     >     rule to be using the correct syntax.  In this particular
>     rule the
>     >     string after NLST should be 100 bytes for a total byte size
>     of 105
>     >     , if we want it hard-set at 100 bytes we'll need to remove the
>     >     'relative' option.  Even
>     >     http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to
>     >     indicate the proposed signature is acceptable (based on my
>     >     understanding of the exploit vector)
>     >
>     >     Finally, I should add, I don't work for VRT/SourceFire.
>     >
>     >     Thanks,
>     >
>     >     evilghost
>     >
>     >     evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>     <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>> wrote:
>     >>     Kevin I had submitted this signature earlier in the week but
>     >>     didn't get any response.  Just added isdataat and depth to help
>     >>     performance/FP.
>     >>
>     >>     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
>     Exploit IIS FTP Exploit - NLST"; flow:established,to_server;
>     content:"NLST "; depth:5; isdataat:100,relative; nocase;
>     content:"|2a|"; content:!"|0d 0a|"; within:100;
>     classtype:attempted-admin;
>     reference:url,www.milw0rm.com/exploits/9541
>     <http://www.milw0rm.com/exploits/9541>
>     <http://www.milw0rm.com/exploits/9541>; sid:2009xxxx; rev:1;)
>     >>     -evilghost
>     >>
>     >>     Kevin Ross wrote:
>     >>>    
>     http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
>     >>>
>     >>>     Hmm. Seems using SITE may not actually cover the
>     vulnerability.
>     >>>     Have a read. The important bit is:
>     >>>
>     >>>     "We saw some rules that detected the SITE command as the
>     >>>     vulnerable condition for exploitation, this is not where the
>     >>>     problem lies. Its in the *NLST* command when it parses long
>     >>>     directory names. The SITE command in the released exploit
>     >>>     (archived on milw0rm) is used to store shellcode into
>     memory, so
>     >>>     it can be egghunted later when the exploit is triggered. While
>     >>>     looking for the SITE command will detect attempts to use *this
>     >>>     particular exploit*, there are plenty of other ways to store
>     >>>     your shellcode in memory before triggering this vulnerability,
>     >>>     which would evade anything using the SITE method for
>     detection."
>     >>>
>     >>>     2009/9/3 Matt Jonkman <jonkman at jonkmans.com
>     <mailto:jonkman at jonkmans.com>
>     >>>     <mailto:jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>>
>     >>>
>     >>>         So it would. Doing so, Thanks!
>     >>>
>     >>>         dxp wrote:
>     >>>         > Adding 'depth:5;' to the SITE content match should help
>     >>>         with performance
>     >>>         > and FP.
>     >>>         > -
>     >>>         >
>     >>>         > -=[ dxp ]=-
>     >>>         > 0xA3F3C6E3
>     >>>         >
>     >>>         >
>     >>>         >
>     >>>         > On Mon, 2009-08-31 at 18:42 -0500,
>     >>>         evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net> <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>>
>     >>>         wrote:
>     >>>         >> Very fine Frank, thanks for submitting this.  What are
>     >>>         your thoughts on
>     >>>         >> a signature specific to the milw0rm PoC to detect
>     with a
>     >>>         greater level
>     >>>         >> of certainly this PoC being used in the wild.  This
>     would
>     >>>         obviously be
>     >>>         >> in conjunction with your signature, not a
>     replacement for
>     >>>         it, but could
>     >>>         >> be used with perhaps a greater level of confidence to
>     >>>         invoke a IDS/IPS
>     >>>         >> action.
>     >>>         >>
>     >>>         >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
>     >>>         Exploit IIS FTP
>     >>>         >> Exploit - Large SITE Command, milw0rm PoC";
>     >>>         flow:established,to_server;
>     >>>         >> content:"SITE "; nocase;
>     >>>         content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
>     >>>         >> classtype:attempted-admin;
>     >>>         reference:url,www.milw0rm.com/exploits/9541
>     <http://www.milw0rm.com/exploits/9541>
>     >>>         <http://www.milw0rm.com/exploits/9541>;
>     >>>         >> sid:2009xxxx; rev:0;)
>     >>>         >>
>     >>>         >> -evilghost
>     >>>         >>
>     >>>         >> Frank Knobbe wrote:
>     >>>         >>> Gents,
>     >>>         >>>
>     >>>         >>> I committed this sig to catch the milw0rm IIS-FTP
>     exploit:
>     >>>         >>>
>     >>>         >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
>     >>>         EXPLOIT Possible
>     >>>         >>> IIS FTP Exploit attempt - Large SITE command";
>     >>>         >>> flow:established,to_server; content:"SITE "; nocase;
>     >>>         content:!"|0d 0a|";
>     >>>         >>> within:150; classtype:attempted-admin;
>     >>>         >>> reference:url,www.milw0rm.com/exploits/9541
>     <http://www.milw0rm.com/exploits/9541>
>     >>>         <http://www.milw0rm.com/exploits/9541>;
>     >>>         >>> reference:url,doc.emergingthreats.net/2009828
>     <http://doc.emergingthreats.net/2009828>
>     >>>         <http://doc.emergingthreats.net/2009828>;
>     >>>         >>>
>     >>>        
>     reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
>     <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP>
>     >>>        
>     <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP>;
>     >>>         sid:2009828; rev:2;)
>     >>>         >>>
>     >>>         >>> Seems to test okay for me. But I'm not sure if
>     there are
>     >>>         legitimate SITE
>     >>>         >>> commands larger than 150 bytes. Please report any
>     False
>     >>>         Positives.
>     >>>         >>>
>     >>>         >>> Thanks,
>     >>>         >>> Frank
>     >>>         >>>
>     >>>         >>>
>     >>>         >>>
>     >>>         >>>
>     >>>         >>>
>     >>>        
>     ------------------------------------------------------------------------
>     >>>         >>>
>     >>>         >>> _______________________________________________
>     >>>         >>> Emerging-sigs mailing list
>     >>>         >>> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >>>         <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >>>         >>>
>     >>>        
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>         >>>
>     >>>         >> _______________________________________________
>     >>>         >> Emerging-sigs mailing list
>     >>>         >> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >>>         <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >>>         >>
>     >>>        
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>         >>
>     >>>         >>
>     >>>        
>     ------------------------------------------------------------------------
>     >>>         >>
>     >>>         >> _______________________________________________
>     >>>         >> Emerging-sigs mailing list
>     >>>         >> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >>>         <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >>>         >>
>     >>>        
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>
>     >>>         --
>     >>>         --------------------------------------------
>     >>>         Matthew Jonkman
>     >>>         Emerging Threats
>     >>>         Open Information Security Foundation (OISF)
>     >>>         Phone 765-429-0398
>     >>>         Fax 312-264-0205
>     >>>         http://www.emergingthreats.net
>     >>>         http://www.openinformationsecurityfoundation.org
>     >>>         --------------------------------------------
>     >>>
>     >>>         PGP: http://www.jonkmans.com/mattjonkman.asc
>     >>>
>     >>>
>     >>>         _______________________________________________
>     >>>         Emerging-sigs mailing list
>     >>>         Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >>>         <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >>>        
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>
>     >>>
>     >>>    
>     ------------------------------------------------------------------------
>     >>>
>     >>>     _______________________________________________
>     >>>     Emerging-sigs mailing list
>     >>>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >>>    
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>>
>     >
>     >     _______________________________________________
>     >     Emerging-sigs mailing list
>     >     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>

From eslerj at gmail.com  Fri Sep  4 14:25:45 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Sep 2009 14:25:45 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA155FD.1030406@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<1251984455.6560.1.camel@kinta> <4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
	<4AA12D1F.5050005@packetmail.net>
	<314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>
	<4AA155FD.1030406@packetmail.net>
Message-ID: <314cf0830909041125p1cfee5e5td2d66523511d4448@mail.gmail.com>

I do understand what you are trying to say.  No insult is perceived.

It's just a point of view I guess.  I can see how you would think that might
be a jab, but I see two paragraphs of helpfulness.  One saying that looking
for SITE is pointless, as it actually has nothing to do with the exploit,
and the other saying, "hey, make your rule bail fast".  It's two sides of
the same coin.  It's all in how you look at it.

Remember that before I came to Sourcefire, I was a committer to Bleeding
Snort, some of my rules probably are still hanging around.  That was a long
time ago, and I thought I knew a lot about rule writing back then, but in
the past four years, i've learned a ton more, and I wouldn't write rules the
same way I used to.  The advantage of me saying all that nonsense is to make
a point, I can see things from both sides.  I can see things from (as we say
in the south) "ya'lls" perspective (the communities) and I can see things
now from the corporate side.  It's a very difficult world that we
(Sourcefire) live in balancing the Open Source with the commercial.  But
we've done pretty well so far, and we are going to be working on improving
this relationship in the future.

Back to the rules --

The tricky part is, I know a lot of the members (all?) of VRT are NOT on
this list, so they may have been sent the rules from an external source.
 (Example:  One of our customers opening a ticket to get a rule working in
their Defense Center/3DSensor system.)

There are at least 4 or 5 other rule repository/writing "agencies"
(including Emerging) that I know of.  Probably a couple more.  All of these
rules at one time or another will (or have) wind (wound) up in support's
hands, (who have to file a ticket with VRT), when they can't get a rule
working, or performance on a rule isn't optimal.  When VRT has to deal with
10s of thousands of rules some our own, some coming in from all directions.
 I've been with the VRT on MSFT Tuesday, and non-MSFT tuesday when rule
packs are generated.  It's a hectic time.  They don't have time to monitor
all the rule repositories, AND do research into 0days, AND generate
rules..etc.. (you get the point).

The second paragraph addressing the performance issue as well.  Not really a
big deal when you are talking about 500 mbit of traffic or a Gig of traffic,
even 5 Gigs of traffic.  That's easy.  It's when you are getting to 10 Gigs
and above that time savings is a factor.  As I am sure you are well aware,
it's not easy to have an engine that runs at those speeds and provides the
amount of functionality and output that ours does.  That's why you use
Snort, for that functionality.

So when I look at the blog post I see "Hey, the rule that we just got sent
to us has SITE and no isdataat in it, let's write a blog post to try and
help whomever out there is writing the rule to make it better".  VRT may not
know where the rule came from.  The VRT has the ability to address a much
larger audience from the blog than they do just the ET list.

Does that make sense?

J

On Fri, Sep 4, 2009 at 2:01 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> Joel, thank you for this response.  I believe that SID 2009860 is
> necessary as it covers the DoS situation in IIS5, IIS6, and IIS7 as well
> as the trigger for code execution.  Prior to this I agree that some of
> the signatures may have been redundant to those already in existence or
> handled by the ftp preprocessor, however, the argument of positive
> granular identification still applies.
>
> Again, without trying to be combative or inflammatory, I think there are
> going to be intrinsic differences between my job, which is to adequately
> secure the enterprise using all tools available to the best level of
> protection and SourceFire, who's job is to support, market, and develop
> a product and a respective ruleset.  Now, please don't infer insult from
> this statement but understand that based on these differences there will
> be some decisions made which will be in disagreement (such as, rule
> redundancy or degraded performance in favor of granular identification)
> due to operational goals.
>
> Now, when I speak of discrediting the community I am speaking
> specifically of the VRT blog article covering the IIS FTP issue and
> discrediting, rather distastefully, the efforts of the ET community
> (implied) to address this.  Rather that identifying room for improvement
> in the signatures and playing nicely with the ET community these gems of
> wisdom were played out on the VRT blog in such as manner as to suggest
> VRT superiority and ET inferiority.  Re-read
>
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
> and take a while to digest what's being said.  Had this information been
> said on the ET list things would certainly be construed differently (as
> being helpful) than them being touted on the VRT blog which IMHO paints
> SourceFire as being combative and superior with/to community efforts --
> "look at these guys, they're reinventing the wheel and don't even know
> what they're doing"
>
> Anytime I've said "you" in previous emails, I meant "you" collectively,
> as SourceFire, not Joel specifically, and you've been helpful in the
> past concerning this issue and I agree with your point of "you don't
> have to do this, it's already covered" (albeit again, differences in
> granular identification).  What I take issue to is what is posted on the
> VRT blog.
>
> I hope I've been able to communicate these effectively without implying
> insult.  If I have, I apologize, as that was not the intent.
>
> -evilghost
>
> Joel Esler wrote:
> > On Fri, Sep 4, 2009 at 11:07 AM, evilghost at packetmail.net
> > <mailto:evilghost at packetmail.net> <evilghost at packetmail.net
> > <mailto:evilghost at packetmail.net>> wrote:
> >
> >     I have to disagree with this entirely.  Rather than catching this
> >     exploit in a rather generic overflow signature I find much value in
> >     identifying the vulnerability correctly.  Not only does this allow
> one
> >     to take appropriate action (such as a firewall block) with confidence
> >     but it also adds specific information to correlation engines or other
> >     processes.  Being able to identify with confidence that a particular
> >     system has been or is being targeted by this IIS FTP globbing
> >     exploit is
> >     significantly more valuable than a generic catch-all rule.
> >
> >
> > The rule that is most relevant (beside the fact that the preprocessor
> > does this by default), says something like "FTP NLST Buffer Overflow".
> >  That's what it is!  You shouldn't have false positives on this rule
> > unless it's a really long NLST buffer string.  It can't get more
> > simpler than that.  It's pretty specific.  Not arguing the point, just
> > trying to let you know how I see it from my chair.
> >
> >
> >     There are times where existing rules are sufficient and times where
> >     construction of a new rule adds value to the community efforts.
> >      I'm not
> >     writing rules for grins and giggles and I've no illusions that
> >     I'll ever
> >     win a T-Shirt.  To assert that "protection for this already exists"
> >     based on a legacy VRT rule makes many assumptions and removes the
> >     ability to manage, at a granular level, specific threats.
> >
> >
> > It's not so much the rules, its the preprocessor IMO.  The
> > preprocessor was coded such that a multitude of rules don't have to
> > exist for generic (and this is generic) ftp command buffer overflow.
> >  In fact, I'm pretty disgusted that MSFT didn't fuzz this out when the
> > same thing happened to different commands.  However, I bet that not
> > only they are, but plenty more are now.  I'd be surprised if this was
> > the last one.
> >
> > The only rules that are legacy (and I do not speak for the VRT, I
> > don't presume to, they'd beat me to a pulp if I tried ;) ) are the
> > rules in the deleted.rules file.  All the other ones are current.
> >  Yes, they may be old, but obviously in case of this example, they
> > have a function.
> >
> >     Now with that being said, the previous SITE and NLST signatures I
> >     wrote
> >     are inferior to the underlying issue itself, */../, which I wrote a
> >     signature for and was committed with SID 2009860.
> >
> >     Without trying to sound inflammatory, it's to SourceFires
> >     advantage from
> >     a company/marketing aspect to discredit community efforts so they can
> >     push their VRT subscriptions.  I do see and am certain I'll see
> >     this in
> >     the future as a selling point for VRT, "Look we had *legacy* VRT
> >     coverage for this".  Again, there are times in the enterprise where
> >     identification of specific threats are significantly more valuable
> >     than
> >     a generic behavioral catch-all.  Who knows, perhaps this issue will
> >     replace the "We had coverage for Blaster the same day!" mantra.
> >
> >
> > I hear what you are saying, and I respect your opinion, you make a
> > good point.  But, I could understand your point if the rules were
> > subscription.  But these rules are so old heck they are probably
> > included in the Debian build of Snort, (I think Debian still includes
> > the really really old rules) and the preprocessor does it by default,
> > I just am trying to understand the duplication of work.  Yes, there
> > are times when we have rules in place (zotob, etc) where, when a rule
> > is written to the vulnerability, then an exploit or worm comes out
> > later exploiting that vulnerability, yes, it's advantageous for SF to
> > say "hey, here's these rules, they've been out for "X", change these
> > rules to drop".  We've even done press releases about it in the past.
> >
> > However, I take offense to the point where you say that Sourcefire is
> > trying to discredit community efforts.  Just the opposite.  Of course
> > it's also advantageous for us to push the fact that there is a
> > community (and we do), being that Snort is the largest deployed IDS in
> > the world.  I'm not discrediting Emerging/Bleeding one little bit.
> > Sourcefire wouldn't exist unless it was the community that got it
> > started.  The reason VRT licensing was developed is a big long story,
> > that basically has to do with IP theft.  Sourcefire loves its
> > community and you guys may not always see the things going on in the
> > background (because we are a public company) to help the future of the
> > Snort community, but trust me, it's there.
> >
> > If you have a problem with something we are doing, there are avenues
> > to address it.  Anyone is welcome to email me, or Mike Guiterman
> > (Snort Community Manager).  If there is a problem.
> >
> > {BTW -- My email address is jesler [Shift-2] sourcefire {dot} com.  I
> > am writing to this list from my gmail account, because almost all of
> > my listserv traffic goes to this account.  I'm not trying to hide
> > behind this address or anything, don't have any conspiracy theories.
> >  (I know how some people are touchy about that kind of thing, just
> > trying to respect that.)}
> >
> > What I am trying to say is, "you guys don't have to do this amount of
> > work".  If you don't like a "legacy" rules name (what you are saying
> > is generic)  FTP NLST Buffer Overflow.  Yes, it's generic, but that's
> > what the exploit is, then take the rule, rename it, move it to
> > local.rules.  Done.  I'm just trying to help you preserve time &
> > money.  (time = money).
> >
> > I'm not arguing or trying to start a flame war, just displaying my
> > point of view.
> >
> > J
> >
> >
> >
> >
> >
> >     -evilghost
> >
> >
> >
> >     Joel Esler wrote:
> >     > It wasn't so much a matter of the rule being rejected, it was a
> >     matter
> >     > of, "hey, this exploit/attack method is already covered in 5
> >     year old
> >     > functionality built into the system".  Writing rules because they
> >     > /need/ to be written is one thing, writing rules because we /can/
> is
> >     > another.
> >     >
> >     > In this case, IMHO, the rules didn't need to be written.  It's a
> >     good
> >     > exercise to learn how to do it properly (especially the isdataat
> >     > lesson), but duplication of work for you, and for your customers is
> >     > superfluous.
> >     >
> >     > J
> >     >
> >     >
> >     >
> >     > On Thu, Sep 3, 2009 at 10:02 PM, evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>
> >     > <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>> <evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>
> >     > <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>>> wrote:
> >     >
> >     >     I don't understand why this rule is continued to be
> >     >     rejected/ignored.  Help me understand what's deficient with it
> >     >     please so that improvements can be made as well as to better my
> >     >     own understating.  There is continued talk of using the NLST
> >     >     command as the root vulnerability versus detecting overflow in
> >     >     SITE (shell-code push vector) so I offered this signature.  I'm
> >     >     not beating my chest just concerned with the lack of
> >     response.  If
> >     >     I'm doing something wrong let me know :)
> >     >
> >     >     My understanding of the isdataat command shown in rev:1 of this
> >     >     rule to be using the correct syntax.  In this particular
> >     rule the
> >     >     string after NLST should be 100 bytes for a total byte size
> >     of 105
> >     >     , if we want it hard-set at 100 bytes we'll need to remove the
> >     >     'relative' option.  Even
> >     >     http://seclists.org/fulldisclosure/2009/Sep/0015.html seems to
> >     >     indicate the proposed signature is acceptable (based on my
> >     >     understanding of the exploit vector)
> >     >
> >     >     Finally, I should add, I don't work for VRT/SourceFire.
> >     >
> >     >     Thanks,
> >     >
> >     >     evilghost
> >     >
> >     >     evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>> wrote:
> >     >>     Kevin I had submitted this signature earlier in the week but
> >     >>     didn't get any response.  Just added isdataat and depth to
> help
> >     >>     performance/FP.
> >     >>
> >     >>     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
> >     Exploit IIS FTP Exploit - NLST"; flow:established,to_server;
> >     content:"NLST "; depth:5; isdataat:100,relative; nocase;
> >     content:"|2a|"; content:!"|0d 0a|"; within:100;
> >     classtype:attempted-admin;
> >     reference:url,www.milw0rm.com/exploits/9541
> >     <http://www.milw0rm.com/exploits/9541>
> >     <http://www.milw0rm.com/exploits/9541>; sid:2009xxxx; rev:1;)
> >     >>     -evilghost
> >     >>
> >     >>     Kevin Ross wrote:
> >     >>>
> >
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability-bad.html
> >     >>>
> >     >>>     Hmm. Seems using SITE may not actually cover the
> >     vulnerability.
> >     >>>     Have a read. The important bit is:
> >     >>>
> >     >>>     "We saw some rules that detected the SITE command as the
> >     >>>     vulnerable condition for exploitation, this is not where the
> >     >>>     problem lies. Its in the *NLST* command when it parses long
> >     >>>     directory names. The SITE command in the released exploit
> >     >>>     (archived on milw0rm) is used to store shellcode into
> >     memory, so
> >     >>>     it can be egghunted later when the exploit is triggered.
> While
> >     >>>     looking for the SITE command will detect attempts to use
> *this
> >     >>>     particular exploit*, there are plenty of other ways to store
> >     >>>     your shellcode in memory before triggering this
> vulnerability,
> >     >>>     which would evade anything using the SITE method for
> >     detection."
> >     >>>
> >     >>>     2009/9/3 Matt Jonkman <jonkman at jonkmans.com
> >     <mailto:jonkman at jonkmans.com>
> >     >>>     <mailto:jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>>
> >     >>>
> >     >>>         So it would. Doing so, Thanks!
> >     >>>
> >     >>>         dxp wrote:
> >     >>>         > Adding 'depth:5;' to the SITE content match should help
> >     >>>         with performance
> >     >>>         > and FP.
> >     >>>         > -
> >     >>>         >
> >     >>>         > -=[ dxp ]=-
> >     >>>         > 0xA3F3C6E3
> >     >>>         >
> >     >>>         >
> >     >>>         >
> >     >>>         > On Mon, 2009-08-31 at 18:42 -0500,
> >     >>>         evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net> <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>>
> >     >>>         wrote:
> >     >>>         >> Very fine Frank, thanks for submitting this.  What are
> >     >>>         your thoughts on
> >     >>>         >> a signature specific to the milw0rm PoC to detect
> >     with a
> >     >>>         greater level
> >     >>>         >> of certainly this PoC being used in the wild.  This
> >     would
> >     >>>         obviously be
> >     >>>         >> in conjunction with your signature, not a
> >     replacement for
> >     >>>         it, but could
> >     >>>         >> be used with perhaps a greater level of confidence to
> >     >>>         invoke a IDS/IPS
> >     >>>         >> action.
> >     >>>         >>
> >     >>>         >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
> >     >>>         Exploit IIS FTP
> >     >>>         >> Exploit - Large SITE Command, milw0rm PoC";
> >     >>>         flow:established,to_server;
> >     >>>         >> content:"SITE "; nocase;
> >     >>>         content:"KSEXYVVVVVVVVVVVVVVVVVVVVVVVV";
> >     >>>         >> classtype:attempted-admin;
> >     >>>         reference:url,www.milw0rm.com/exploits/9541
> >     <http://www.milw0rm.com/exploits/9541>
> >     >>>         <http://www.milw0rm.com/exploits/9541>;
> >     >>>         >> sid:2009xxxx; rev:0;)
> >     >>>         >>
> >     >>>         >> -evilghost
> >     >>>         >>
> >     >>>         >> Frank Knobbe wrote:
> >     >>>         >>> Gents,
> >     >>>         >>>
> >     >>>         >>> I committed this sig to catch the milw0rm IIS-FTP
> >     exploit:
> >     >>>         >>>
> >     >>>         >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET
> >     >>>         EXPLOIT Possible
> >     >>>         >>> IIS FTP Exploit attempt - Large SITE command";
> >     >>>         >>> flow:established,to_server; content:"SITE "; nocase;
> >     >>>         content:!"|0d 0a|";
> >     >>>         >>> within:150; classtype:attempted-admin;
> >     >>>         >>> reference:url,www.milw0rm.com/exploits/9541
> >     <http://www.milw0rm.com/exploits/9541>
> >     >>>         <http://www.milw0rm.com/exploits/9541>;
> >     >>>         >>> reference:url,doc.emergingthreats.net/2009828
> >     <http://doc.emergingthreats.net/2009828>
> >     >>>         <http://doc.emergingthreats.net/2009828>;
> >     >>>         >>>
> >     >>>
> >     reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
> >     <
> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
> >
> >     >>>
> >     <
> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
> >;
> >     >>>         sid:2009828; rev:2;)
> >     >>>         >>>
> >     >>>         >>> Seems to test okay for me. But I'm not sure if
> >     there are
> >     >>>         legitimate SITE
> >     >>>         >>> commands larger than 150 bytes. Please report any
> >     False
> >     >>>         Positives.
> >     >>>         >>>
> >     >>>         >>> Thanks,
> >     >>>         >>> Frank
> >     >>>         >>>
> >     >>>         >>>
> >     >>>         >>>
> >     >>>         >>>
> >     >>>         >>>
> >     >>>
> >
> ------------------------------------------------------------------------
> >     >>>         >>>
> >     >>>         >>> _______________________________________________
> >     >>>         >>> Emerging-sigs mailing list
> >     >>>         >>> Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >>>         <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >>>         >>>
> >     >>>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >>>         >>>
> >     >>>         >> _______________________________________________
> >     >>>         >> Emerging-sigs mailing list
> >     >>>         >> Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >>>         <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >>>         >>
> >     >>>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >>>         >>
> >     >>>         >>
> >     >>>
> >
> ------------------------------------------------------------------------
> >     >>>         >>
> >     >>>         >> _______________________________________________
> >     >>>         >> Emerging-sigs mailing list
> >     >>>         >> Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >>>         <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >>>         >>
> >     >>>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >>>
> >     >>>         --
> >     >>>         --------------------------------------------
> >     >>>         Matthew Jonkman
> >     >>>         Emerging Threats
> >     >>>         Open Information Security Foundation (OISF)
> >     >>>         Phone 765-429-0398
> >     >>>         Fax 312-264-0205
> >     >>>         http://www.emergingthreats.net
> >     >>>         http://www.openinformationsecurityfoundation.org
> >     >>>         --------------------------------------------
> >     >>>
> >     >>>         PGP: http://www.jonkmans.com/mattjonkman.asc
> >     >>>
> >     >>>
> >     >>>         _______________________________________________
> >     >>>         Emerging-sigs mailing list
> >     >>>         Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >>>         <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >>>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >>>
> >     >>>
> >     >>>
> >
> ------------------------------------------------------------------------
> >     >>>
> >     >>>     _______________________________________________
> >     >>>     Emerging-sigs mailing list
> >     >>>     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >>>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >>>
> >     >
> >     >     _______________________________________________
> >     >     Emerging-sigs mailing list
> >     >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/1fff4ed2/attachment-0001.html

From frank at knobbe.us  Fri Sep  4 15:48:29 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Fri, 04 Sep 2009 14:48:29 -0500
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909041125p1cfee5e5td2d66523511d4448@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<1251984455.6560.1.camel@kinta> <4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
	<4AA12D1F.5050005@packetmail.net>
	<314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>
	<4AA155FD.1030406@packetmail.net>
	<314cf0830909041125p1cfee5e5td2d66523511d4448@mail.gmail.com>
Message-ID: <1252093709.77298.51.camel@server1>

On Fri, 2009-09-04 at 14:25 -0400, Joel Esler wrote:
> So when I look at the blog post I see "Hey, the rule that we just got
> sent to us has SITE and no isdataat in it, let's write a blog post to
> try and help whomever out there is writing the rule to make it
> better".  VRT may not know where the rule came from.  The VRT has the
> ability to address a much larger audience from the blog than they do
> just the ET list.  


Is it really necessary to drag this debate out so long?

Joel, just so you know, I wrote that SITE sig. The reason was simple.
That's how the long shell code was uploaded. I'm fully aware that SITE
is not vulnerable, but NLST. However, when I looked at the code, the
length of the NLST argument didn't seem very long. Since I didn't spend
the time figuring out what characters exactly were triggering the
exploit, and I wanted to avoid false positives on long, but valid NLIST
arguments, I opted to look for the much longer SITE argument instead.

Should I have used dataat to see where that command terminated with a \r
\n? Perhaps, but I didn't want to spend time on troubleshooting any
isdataat syntax issues either, so I went with the not-content check.

The reason for not using depth:5; is simple. From my experience with FTP
based alerts, commands are not always guaranteed to be at the beginning
of a packet (definitely not the stream), especially when multiple
commands are issued in succession. Yes, if you run FTP from the command
line, I believe it's one command (until you hit enter) per packet. But
in batch mode, it seems there are a lot of commands crammed into one
packet. Something simple like "PWD\r\nSITE <large arg>" will evade any
sig that expects SITE to be at the packet start. So I did not add
depth:5; on purpose.

Should I have tested the Snort rules better to see which rule might
trigger? I could, but I saw an exploit and it was easier for me to
assure signature coverage by just writing one real quick myself. Quick
response to current and emerging threats (pun intended) is key in my
opinion for what we do at EmergingThreats. 

When folks see a posting at SANS for a new exploit affecting Windows
Internet services, they get concerned. I wanted a signature out there
quickly so that any such exploit attempts are at least detectable.

I'm happy to hear that Snort already had an alert for that. My posting
was not to duplicate signatures, but to quickly post a tested sig to put
peoples mind at ease.

Cheers,
Frank


PS: The VRT blog posting made it sound like there are other ways to
transmit long shellcode to be triggered with the NLST vulnerability. If
you are aware of other commands that accept that much data, please share
(for curiosity. I'm aware the FTP preproc will alert on those too).
 


From emerging at emergingthreats.net  Fri Sep  4 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri,  4 Sep 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090904200012.E2BAC4501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri Sep  4 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2009848 - ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009858 - ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt (emerging-web.rules)
 2009859 - ET EXPLOIT IIS FTP Exploit - NLST (emerging-exploit.rules)
 2009860 - ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit (emerging-exploit.rules)
 2009861 - ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) (emerging-malware.rules)
 2009862 - ET TROJAN Banker Trojan CnC AddNew Command (emerging-virus.rules)
 2009863 - ET TROJAN Banker Trojan CnC Hello Command (emerging-virus.rules)
 2009864 - ET TROJAN Banker Trojan CnC Server Ping (emerging-virus.rules)
 2009865 - ET TROJAN Unknown CnC Channel Keep Alive (emerging-virus.rules)
 2009866 - ET TROJAN Unknown CnC Channel Keep Alive Server Response (emerging-virus.rules)
 2009867 - ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-exploit.rules (1):
        # By evilghost

     -> Added to emerging-sid-msg.map (13):
        2009848 || ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion || bugtraq,28660 || url,milw0rm.com/exploits/5393
        2009858 || ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt || url,www.securityfocus.com/bid/36234/info
        2009859 || ET EXPLOIT IIS FTP Exploit - NLST || url,www.milw0rm.com/exploits/9541
        2009860 || ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2009861 || ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009861
        2009862 || ET TROJAN Banker Trojan CnC AddNew Command
        2009863 || ET TROJAN Banker Trojan CnC Hello Command
        2009864 || ET TROJAN Banker Trojan CnC Server Ping
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response
        2009867 || ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009867
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-sid-msg.map.txt (13):
        2009848 || ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion || bugtraq,28660 || url,milw0rm.com/exploits/5393
        2009858 || ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt || url,www.securityfocus.com/bid/36234/info
        2009859 || ET EXPLOIT IIS FTP Exploit - NLST || url,www.milw0rm.com/exploits/9541
        2009860 || ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2009861 || ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009861
        2009862 || ET TROJAN Banker Trojan CnC AddNew Command
        2009863 || ET TROJAN Banker Trojan CnC Hello Command
        2009864 || ET TROJAN Banker Trojan CnC Server Ping
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response
        2009867 || ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009867
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-virus.rules (2):
        #banker trojan with a custom cnc
        #matt jonkman, re aab13cae762c86e21beb82c7c75fb1cf

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (84):
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (84):
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From eslerj at gmail.com  Fri Sep  4 16:17:59 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Sep 2009 16:17:59 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <1252093709.77298.51.camel@server1>
References: <1251755569.42741.11.camel@localhost>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<4A9FF8C2.3050205@packetmail.net> <4AA0753A.7040407@packetmail.net>
	<314cf0830909040536v3b0d2195t99bd27b7eba15f44@mail.gmail.com>
	<4AA12D1F.5050005@packetmail.net>
	<314cf0830909040958l5517423fw2016cac588fdbe4e@mail.gmail.com>
	<4AA155FD.1030406@packetmail.net>
	<314cf0830909041125p1cfee5e5td2d66523511d4448@mail.gmail.com>
	<1252093709.77298.51.camel@server1>
Message-ID: <314cf0830909041317q2d6b4b68g44175ba087f80003@mail.gmail.com>

On Fri, Sep 4, 2009 at 3:48 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Fri, 2009-09-04 at 14:25 -0400, Joel Esler wrote:
> > So when I look at the blog post I see "Hey, the rule that we just got
> > sent to us has SITE and no isdataat in it, let's write a blog post to
> > try and help whomever out there is writing the rule to make it
> > better".  VRT may not know where the rule came from.  The VRT has the
> > ability to address a much larger audience from the blog than they do
> > just the ET list.
>
>
> Is it really necessary to drag this debate out so long?
>

Nope, but it is an interesting discussion and I am glad it's taking place,
if nothing else, to air our perceptions and see if any improvements could be
made.


>
> Joel, just so you know, I wrote that SITE sig. The reason was simple.
> That's how the long shell code was uploaded. I'm fully aware that SITE
> is not vulnerable, but NLST. However, when I looked at the code, the
> length of the NLST argument didn't seem very long. Since I didn't spend
> the time figuring out what characters exactly were triggering the
> exploit, and I wanted to avoid false positives on long, but valid NLIST
> arguments, I opted to look for the much longer SITE argument instead.
>
> Should I have used dataat to see where that command terminated with a \r
> \n? Perhaps, but I didn't want to spend time on troubleshooting any
> isdataat syntax issues either, so I went with the not-content check.
>

Understandable.  No debate there.



>
> The reason for not using depth:5; is simple. From my experience with FTP
> based alerts, commands are not always guaranteed to be at the beginning
> of a packet (definitely not the stream), especially when multiple
> commands are issued in succession. Yes, if you run FTP from the command
> line, I believe it's one command (until you hit enter) per packet. But
> in batch mode, it seems there are a lot of commands crammed into one
> packet. Something simple like "PWD\r\nSITE <large arg>" will evade any
> sig that expects SITE to be at the packet start. So I did not add
> depth:5; on purpose.
>

Right, that's why isdataat was invented, as you well know.  Depth (and
dsize) work in a very limited fashion and have a totally different set of
features that isdataat fulfills.


>
> Should I have tested the Snort rules better to see which rule might
> trigger? I could, but I saw an exploit and it was easier for me to
> assure signature coverage by just writing one real quick myself. Quick
> response to current and emerging threats (pun intended) is key in my
> opinion for what we do at EmergingThreats.
>
> When folks see a posting at SANS for a new exploit affecting Windows
> Internet services, they get concerned. I wanted a signature out there
> quickly so that any such exploit attempts are at least detectable.
>
> I'm happy to hear that Snort already had an alert for that. My posting
> was not to duplicate signatures, but to quickly post a tested sig to put
> peoples mind at ease.
>
> Cheers,
> Frank
>
>
> PS: The VRT blog posting made it sound like there are other ways to
> transmit long shellcode to be triggered with the NLST vulnerability. If
> you are aware of other commands that accept that much data, please share
> (for curiosity. I'm aware the FTP preproc will alert on those too).
>

*I* am not aware.  However..

http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html

Makes it seems like there may be other commands that trigger this overflow
as well.  I do not know the specifics, as I am sure there are several
vulnerability research houses out there right now fuzzing out different
commands to see if it's possible.

(Again, I do *not* speak for VRT, and am not aware if they are fuzzing *this
* issue.  Although, more often than not, they usually are fuzzing something
;)

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/90d93eb6/attachment.html

From unsignedlong at gmail.com  Fri Sep  4 20:44:25 2009
From: unsignedlong at gmail.com (Jim Trexler)
Date: Fri, 4 Sep 2009 20:44:25 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <4AA0796E.7060702@packetmail.net>
References: <1251755569.42741.11.camel@localhost>
	<4A9C5FF2.9090009@packetmail.net> <1251984455.6560.1.camel@kinta>
	<4A9FD6AE.7020709@jonkmans.com>
	<e75cc74a0909031005g1f384606hf3d90d4729c59e0a@mail.gmail.com>
	<20090903172159.GB21340@knobbe.us>
	<c94f1fa20909031623p339497e1jc2ca6ace4bf61aca@mail.gmail.com>
	<4AA0796E.7060702@packetmail.net>
Message-ID: <c94f1fa20909041744p52509812kbbf43ed172c0b2e6@mail.gmail.com>

  Ghost,

  I'm not getting involved with the preprocessor thread as I seldom rely on
them - I've had too many issues with them over the years - mainly they are
too chatty and don't always hit the mark.  Performance not withstanding - I
prefer sigs.  Which is one reason I tune the rule sets specific to each
sensor.

  The reason you didn't much feedback is because, of the people involved,
there is not a strong consensus on who wants to see a sig for THE exploit
(as was stated in a reply to you by someone previously) and those that want
a sig for the more generic form.  Your's initially would be very specific
and evade-able.  I wouldn't worry about that though.  Keep on developing and
post what is useful to you.  Everyone has to decide which sigs to include
anyway based on their unique circumstances and tweak as appropriate.  I
think you will get to the point where you will write for the generic form,
though, which is what I would prefer to see.

  The issue with NLST as I have read it was when multiple wildcards are
used.  The ".."'s and"/"'s not so much.  The lenth of this payload could be
very short on the order of say <20 chars.  So, my suggestion would be to set
a flag in the SITE sig and develop a second sig with the NLST and
multi-wildcards and require the previous (site sig) flag.

  I haven't had time to write the sigs but that's my $.02.

      jim



On Thu, Sep 3, 2009 at 10:20 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

>  Jim et al, based on my understanding of
> http://www.milw0rm.com/exploits/9559 ,
> http://seclists.org/fulldisclosure/2009/Sep/0015.html , and
> http://packetstormsecurity.org/0909-exploits/msiis5-dos.txt the root issue
> is the "*/../" globbing functionality handling present in NLST.  So, what
> are thoughts on this signature?  I would imagine it would be sufficient to
> be a direct detection signature for this issue.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET Exploit IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; depth:5; content:"|2a 2f 2e 2e 2f|"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; sid:2009xxxx; rev:0;)
>
> -evilghost
>
> Jim Trexler wrote:
>
>   Frank is correct.  The size matters on the SITE command but the wildcards
> (* and ?)matter on the NLST command (which hasn't 'emerged' yet).   If you
> see both fire then you have a more solid event than just one.
>
>          jim
>
>
> On Thu, Sep 3, 2009 at 1:21 PM, Frank Knobbe <frank at knobbe.us> wrote:
>
>> On Thu, Sep 03, 2009 at 06:05:30PM +0100, Kevin Ross wrote:
>> > Hmm. Seems using SITE may not actually cover the vulnerability. Have a
>> read.
>> > The important bit is:
>>
>>  Right, we know that and discussed it.
>>
>> Ideally we need a signature for overflow attempts for every command. But
>> since they are already in the Snort distribution, I'm not sure how much
>> of a duplication that would be.
>>
>> The thing with the NLIST sig is that the argument is not quite so long.
>> The problem is not the length, but the malformed content. So creating a
>> sig
>> for a long argument of NLIST is not completel accurate. The sig should
>> check for abnormal characters (those that are not valid for file names).
>>
>> But again, I think overflow sigs for SITE, NLIST, and every other FTP
>> command would be good, even though it's duplicating existing Snort sigs.
>>
>> Cheers,
>>  Frank
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
> ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090904/9dfd6236/attachment.html

From emerging at emergingthreats.net  Sat Sep  5 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  5 Sep 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090905200012.D35FB4504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Sep  5 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2008802 - ET TROJAN Possible Downadup/Conficker-A Worm Activity (emerging-virus.rules)
 2008803 - ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging-virus.rules)
 2009024 - ET TROJAN Downadup/Conficker A or B Worm reporting (emerging-virus.rules)
 2009114 - ET TROJAN Downadup/Conficker A Worm reporting (emerging-virus.rules)
 2009200 - ET TROJAN Conficker.a Shellcode (emerging-virus.rules)
 2009201 - ET TROJAN Conficker.b Shellcode (emerging-virus.rules)
 2009205 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging-virus.rules)
 2009206 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging-virus.rules)
 2009207 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging-virus.rules)
 2009208 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2009860 - ET Exploit IIS FTP Exploit - NLST Globbing Exploit (emerging-exploit.rules)


[---]         Removed rules:         [---]

 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules)
 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules)
 2009024 - ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting (emerging.rules)
 2009114 - ET CURRENT_EVENTS Downadup/Conficker A Worm reporting (emerging.rules)
 2009200 - ET CURRENT_EVENTS Conficker.a Shellcode (emerging.rules)
 2009201 - ET CURRENT_EVENTS Conficker.b Shellcode (emerging.rules)
 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules)
 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules)
 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules)
 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules)
 2009859 - ET EXPLOIT IIS FTP Exploit - NLST (emerging-exploit.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (11):
        2008802 || ET TROJAN Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET TROJAN Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET TROJAN Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET TROJAN Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET TROJAN Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009860 || ET Exploit IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541

     -> Added to emerging-sid-msg.map.txt (11):
        2008802 || ET TROJAN Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET TROJAN Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET TROJAN Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET TROJAN Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET TROJAN Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009860 || ET Exploit IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541

     -> Added to emerging-virus.rules (4):
        #by Kevin Ross
        # By RPG and Jack Pepper
        #by Tillman Werner
        #Disabling in favor of the preproc and SO rules that are now available

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (32):
        2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET CURRENT_EVENTS Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009859 || ET EXPLOIT IIS FTP Exploit - NLST || url,www.milw0rm.com/exploits/9541
        2009860 || ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (32):
        2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET CURRENT_EVENTS Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009859 || ET EXPLOIT IIS FTP Exploit - NLST || url,www.milw0rm.com/exploits/9541
        2009860 || ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging.rules (3):
        # By RPG and Jack Pepper
        #by Tillman Werner
        #Disabling in favor of the preproc and SO rules that are now available


From emerging at emergingthreats.net  Sat Sep  5 18:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  5 Sep 2009 18:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20090905220012.2741A4504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Sep  5 18:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2008802 - ET TROJAN Possible Downadup/Conficker-A Worm Activity (emerging-virus.rules)
 2008803 - ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging-virus.rules)
 2009024 - ET TROJAN Downadup/Conficker A or B Worm reporting (emerging-virus.rules)
 2009114 - ET TROJAN Downadup/Conficker A Worm reporting (emerging-virus.rules)
 2009200 - ET TROJAN Conficker.a Shellcode (emerging-virus.rules)
 2009201 - ET TROJAN Conficker.b Shellcode (emerging-virus.rules)
 2009205 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging-virus.rules)
 2009206 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging-virus.rules)
 2009207 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging-virus.rules)
 2009208 - ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging-virus.rules)
 2009810 - ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) (emerging-virus.rules)
 2009811 - ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET (emerging-virus.rules)
 2009812 - ET TROJAN AVKiller with Backdoor checkin - HTTP POST (emerging-virus.rules)
 2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (emerging-virus.rules)
 2009814 - ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET (emerging-virus.rules)
 2009815 - ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI (emerging-web.rules)
 2009816 - ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI (emerging-web.rules)
 2009817 - ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User (emerging-web.rules)
 2009818 - ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry (emerging-web.rules)
 2009819 - ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk (emerging-web.rules)
 2009820 - ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs (emerging-web.rules)
 2009822 - ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs (emerging-web.rules)
 2009823 - ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name (emerging-web.rules)
 2009824 - ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet (emerging-virus.rules)
 2009825 - ET TROJAN Win32.VB.tdq - Fake User-Agent (emerging-virus.rules)
 2009826 - ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET (emerging-virus.rules)
 2009827 - ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis (emerging-scan.rules)
 2009828 - ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command (emerging-exploit.rules)
 2009829 - ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET (emerging-virus.rules)
 2009830 - ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST (emerging-virus.rules)
 2009831 - ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino) (emerging-malware.rules)
 2009832 - ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND (emerging-scan.rules)
 2009833 - ET SCAN WITOOL SQL Injection Scan (emerging-scan.rules)
 2009834 - ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection (emerging-web_sql_injection.rules)
 2009835 - ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection (emerging-web_sql_injection.rules)
 2009836 - ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection (emerging-web_sql_injection.rules)
 2009837 - ET SCAN OWASP Joomla Vulnerability Scanner Detected (emerging-scan.rules)
 2009838 - ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009839 - ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009840 - ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009841 - ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009842 - ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009843 - ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 (emerging-web_sql_injection.rules)
 2009844 - ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 (emerging-web_sql_injection.rules)
 2009845 - ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009846 - ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009847 - ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow (emerging-web.rules)
 2009848 - ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009849 - ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009850 - ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009851 - ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009852 - ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009853 - ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009854 - ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009855 - ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009856 - ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009857 - ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow (emerging-web.rules)
 2009858 - ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt (emerging-web.rules)
 2009860 - ET Exploit IIS FTP Exploit - NLST Globbing Exploit (emerging-exploit.rules)
 2009861 - ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) (emerging-malware.rules)
 2009862 - ET TROJAN Banker Trojan CnC AddNew Command (emerging-virus.rules)
 2009863 - ET TROJAN Banker Trojan CnC Hello Command (emerging-virus.rules)
 2009864 - ET TROJAN Banker Trojan CnC Server Ping (emerging-virus.rules)
 2009865 - ET TROJAN Unknown CnC Channel Keep Alive (emerging-virus.rules)
 2009866 - ET TROJAN Unknown CnC Channel Keep Alive Server Response (emerging-virus.rules)
 2009867 - ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) (emerging-malware.rules)
 2404025 - ET DROP Known Bot C&C Server Traffic (group 26)  (emerging-botcc.rules)
 2405025 - ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2007829 - ET TROJAN Illusion Bot (Lussilon) Checkin (emerging-virus.rules)
 2009781 - ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET (emerging-malware.rules)
 2009782 - ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET (emerging-malware.rules)
 2009783 - ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET (emerging-malware.rules)
 2009784 - ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET (emerging-malware.rules)
 2009785 - ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET (emerging-malware.rules)
 2009786 - ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal (emerging-web_sql_injection.rules)
 2009787 - ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009788 - ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009789 - ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009790 - ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009791 - ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009792 - ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow (emerging-web.rules)
 2009793 - ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009794 - ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009795 - ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009796 - ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) (emerging-malware.rules)
 2009797 - ET TROJAN Bifrose Response from victim (emerging-virus.rules)
 2009798 - ET POLICY Carbonite Online Backup SSL Handshake (emerging-policy.rules)
 2009800 - ET POLICY Carbonite.com Backup Software Leaking MAC Address (emerging-policy.rules)
 2009801 - ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) (emerging-policy.rules)
 2009803 - ET TROJAN Downloader Generic - GET (emerging-virus.rules)
 2009804 - ET TROJAN Screenblaze SCR Related Backdoor - GET (emerging-virus.rules)
 2009805 - ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET (emerging-virus.rules)
 2009806 - ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet (emerging-virus.rules)
 2009807 - ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET (emerging-malware.rules)
 2009808 - ET TROJAN Win32.Virut - GET (emerging-virus.rules)
 2009809 - ET TROJAN Generic/Unknown Downloader Config to client (emerging-virus.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2404024 - ET DROP Known Bot C&C Server Traffic (group 25)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405024 - ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules)
 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules)
 2009024 - ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting (emerging.rules)
 2009114 - ET CURRENT_EVENTS Downadup/Conficker A Worm reporting (emerging.rules)
 2009200 - ET CURRENT_EVENTS Conficker.a Shellcode (emerging.rules)
 2009201 - ET CURRENT_EVENTS Conficker.b Shellcode (emerging.rules)
 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules)
 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules)
 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules)
 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules)
 2009802 - ET TROJAN KillAV Downloader - GET (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-exploit.rules (2):
        # By Frank Knobbe
        # By evilghost

     -> Added to emerging-scan.rules (1):
        #by Bill Scherr IV

     -> Added to emerging-sid-msg.map (96):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Illusion_Bot || url,doc.emergingthreats.net/2007829
        2008802 || ET TROJAN Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET TROJAN Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET TROJAN Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET TROJAN Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET TROJAN Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009781
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009782
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009783 || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009784
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009785 || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Community_CMS || url,doc.emergingthreats.net/2009787 || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RSS_Aggregator || url,doc.emergingthreats.net/2009788 || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_TinybutStrong || url,doc.emergingthreats.net/2009789 || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_beLive || url,doc.emergingthreats.net/2009790 || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GS_RealEstate || url,doc.emergingthreats.net/2009791 || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Avax || url,doc.emergingthreats.net/2009792 || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Crawler || url,doc.emergingthreats.net/2009793 || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vidshare || url,doc.emergingthreats.net/2009794 || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dog_Pedigree || url,doc.emergingthreats.net/2009795 || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009796
        2009797 || ET TROJAN Bifrose Response from victim || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose || url,doc.emergingthreats.net/2009797
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009798
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009800
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009801
        2009803 || ET TROJAN Downloader Generic - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009803
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_ScreenBlaze || url,doc.emergingthreats.net/2009804 || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Luder || url,doc.emergingthreats.net/2009805 || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PoisonIvy || url,doc.emergingthreats.net/2009806 || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search || url,doc.emergingthreats.net/2009807 || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virut || url,doc.emergingthreats.net/2009808 || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2009809
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2009810 || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009811
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller || url,doc.emergingthreats.net/2009812
        2009813 || ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_MyDNS || url,doc.emergingthreats.net/2009813
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Doneltart || url,doc.emergingthreats.net/2009814
        2009815 || ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009815 || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,msdn.microsoft.com/en-us/library/ms175046.aspx
        2009816 || ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009816 || url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/
        2009817 || ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009817 || url,technet.microsoft.com/en-us/library/ms181422.aspx
        2009818 || ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009818 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009819 || ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009819 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.dugger-it.com/articles/xp_fileexist.asp || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009820 || ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009820 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009822 || ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009822 || url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009823 || ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009823 || url,www.en.wikipedia.org/wiki/Database_Source_Name || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009824 || ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf || url,doc.emergingthreats.net/2009824 || url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html
        2009825 || ET TROJAN Win32.VB.tdq - Fake User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.VB || url,doc.emergingthreats.net/2009825 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654 || url,vil.nai.com/vil/content/v_187654.htm
        2009826 || ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2009826
        2009827 || ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Pavuk || url,doc.emergingthreats.net/2009827 || url,pavuk.sourceforge.net/about.html
        2009828 || ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP || url,doc.emergingthreats.net/2009828 || url,www.milw0rm.com/exploits/9541
        2009829 || ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET || url,www.threatexpert.com/threats/w32-virut-i.html || url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486
        2009830 || ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST
        2009831 || ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)
        2009832 || ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND || url,seclists.org/fulldisclosure/2003/Aug/0432.html || url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf || url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf
        2009833 || ET SCAN WITOOL SQL Injection Scan || url,witool.sourceforge.net/
        2009834 || ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009835 || ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009836 || ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009837 || ET SCAN OWASP Joomla Vulnerability Scanner Detected || url,www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
        2009838 || ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009839 || ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009840 || ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009841 || ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009842 || ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009843 || ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009844 || ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009845 || ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009846 || ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion || url,milw0rm.com/exploits/8026 || url,secunia.com/advisories/33691
        2009847 || ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln8008.html || url,xforce.iss.net/xforce/xfdb/12423 || bugtraq,8008
        2009848 || ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion || bugtraq,28660 || url,milw0rm.com/exploits/5393
        2009849 || ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009850 || ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009851 || ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009852 || ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009853 || ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009854 || ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009855 || ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009856 || ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009857 || ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow || url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html || url,milw0rm.com/exploits/9116 || url,secunia.com/advisories/35764/
        2009858 || ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt || url,www.securityfocus.com/bid/36234/info
        2009860 || ET Exploit IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2009861 || ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009861
        2009862 || ET TROJAN Banker Trojan CnC AddNew Command
        2009863 || ET TROJAN Banker Trojan CnC Hello Command
        2009864 || ET TROJAN Banker Trojan CnC Server Ping
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response
        2009867 || ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009867
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-sid-msg.map.txt (96):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Illusion_Bot || url,doc.emergingthreats.net/2007829
        2008802 || ET TROJAN Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET TROJAN Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET TROJAN Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET TROJAN Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET TROJAN Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET TROJAN Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009781
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009782
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009783 || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009784
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009785 || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Community_CMS || url,doc.emergingthreats.net/2009787 || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RSS_Aggregator || url,doc.emergingthreats.net/2009788 || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_TinybutStrong || url,doc.emergingthreats.net/2009789 || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_beLive || url,doc.emergingthreats.net/2009790 || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GS_RealEstate || url,doc.emergingthreats.net/2009791 || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Avax || url,doc.emergingthreats.net/2009792 || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Crawler || url,doc.emergingthreats.net/2009793 || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vidshare || url,doc.emergingthreats.net/2009794 || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dog_Pedigree || url,doc.emergingthreats.net/2009795 || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009796
        2009797 || ET TROJAN Bifrose Response from victim || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose || url,doc.emergingthreats.net/2009797
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009798
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009800
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite || url,doc.emergingthreats.net/2009801
        2009803 || ET TROJAN Downloader Generic - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2009803
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_ScreenBlaze || url,doc.emergingthreats.net/2009804 || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Luder || url,doc.emergingthreats.net/2009805 || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PoisonIvy || url,doc.emergingthreats.net/2009806 || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search || url,doc.emergingthreats.net/2009807 || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virut || url,doc.emergingthreats.net/2009808 || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2009809
        2009810 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible\; MSIE 7.0\; na\; .NET CLR 2.0.50727\; .NET CLR 3.0.4506.2152\; .NET CLR 3.5.30729)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lop || url,doc.emergingthreats.net/2009810 || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter
        2009811 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington || url,doc.emergingthreats.net/2009811
        2009812 || ET TROJAN AVKiller with Backdoor checkin - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller || url,doc.emergingthreats.net/2009812
        2009813 || ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_MyDNS || url,doc.emergingthreats.net/2009813
        2009814 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Doneltart || url,doc.emergingthreats.net/2009814
        2009815 || ET WEB Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009815 || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,msdn.microsoft.com/en-us/library/ms175046.aspx
        2009816 || ET WEB Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009816 || url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/
        2009817 || ET WEB Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009817 || url,technet.microsoft.com/en-us/library/ms181422.aspx
        2009818 || ET WEB Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009818 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009819 || ET WEB Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009819 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.dugger-it.com/articles/xp_fileexist.asp || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009820 || ET WEB Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009820 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
        2009822 || ET WEB Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009822 || url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005 || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009823 || ET WEB Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI to View Database Source Name || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_MSSQL_Stored || url,doc.emergingthreats.net/2009823 || url,www.en.wikipedia.org/wiki/Database_Source_Name || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx
        2009824 || ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf || url,doc.emergingthreats.net/2009824 || url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html
        2009825 || ET TROJAN Win32.VB.tdq - Fake User-Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.VB || url,doc.emergingthreats.net/2009825 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654 || url,vil.nai.com/vil/content/v_187654.htm
        2009826 || ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2009826
        2009827 || ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Pavuk || url,doc.emergingthreats.net/2009827 || url,pavuk.sourceforge.net/about.html
        2009828 || ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP || url,doc.emergingthreats.net/2009828 || url,www.milw0rm.com/exploits/9541
        2009829 || ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET || url,www.threatexpert.com/threats/w32-virut-i.html || url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486
        2009830 || ET TROJAN Unknown Web Bot checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST
        2009831 || ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)
        2009832 || ET SCAN NETBIOS DCERPC rpcmgmt ifids Unauthenticated BIND || url,seclists.org/fulldisclosure/2003/Aug/0432.html || url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf || url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf
        2009833 || ET SCAN WITOOL SQL Injection Scan || url,witool.sourceforge.net/
        2009834 || ET WEB_SPECIFIC Joomla portalid Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009835 || ET WEB_SPECIFIC Joomla portalid Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009836 || ET WEB_SPECIFIC Joomla portalid Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36206/info || url,www.milw0rm.org/exploits/9563
        2009837 || ET SCAN OWASP Joomla Vulnerability Scanner Detected || url,www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
        2009838 || ET WEB_SPECIFIC WB News search.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009839 || ET WEB_SPECIFIC WB News archive.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009840 || ET WEB_SPECIFIC WB News Archive.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009841 || ET WEB_SPECIFIC WB News comments.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009842 || ET WEB_SPECIFIC WB News Comments.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009843 || ET WEB_SPECIFIC WB News news.php config Parameter Remote File Inclusion -1 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009844 || ET WEB_SPECIFIC WB News News.php config Parameter Remote File Inclusion -2 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009845 || ET WEB_SPECIFIC WB News SendFriend.php config Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || bugtraq,33434
        2009846 || ET WEB_SPECIFIC WB News global.php config Parameter Remote File Inclusion || url,milw0rm.com/exploits/8026 || url,secunia.com/advisories/33691
        2009847 || ET WEB_ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln8008.html || url,xforce.iss.net/xforce/xfdb/12423 || bugtraq,8008
        2009848 || ET WEB_SPECIFIC Dragoon header.inc.php root Parameter Remote File Inclusion || bugtraq,28660 || url,milw0rm.com/exploits/5393
        2009849 || ET WEB_SPECIFIC Flash Quiz num_questions.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009850 || ET WEB_SPECIFIC Flash Quiz answers.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009851 || ET WEB_SPECIFIC Flash Quiz answers.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009852 || ET WEB_SPECIFIC Flash Quiz high_score_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009853 || ET WEB_SPECIFIC Flash Quiz results_table_web.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009854 || ET WEB_SPECIFIC Flash Quiz question.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009855 || ET WEB_SPECIFIC Flash Quiz question.php order_number Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009856 || ET WEB_SPECIFIC Flash Quiz high_score.php quiz Parameter SQL Injection || url,milw0rm.com/exploits/8759 || bugtraq,35060
        2009857 || ET WEB_ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow || url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html || url,milw0rm.com/exploits/9116 || url,secunia.com/advisories/35764/
        2009858 || ET WEB_ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt || url,www.securityfocus.com/bid/36234/info
        2009860 || ET Exploit IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541
        2009861 || ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009861
        2009862 || ET TROJAN Banker Trojan CnC AddNew Command
        2009863 || ET TROJAN Banker Trojan CnC Hello Command
        2009864 || ET TROJAN Banker Trojan CnC Server Ping
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response
        2009867 || ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009867
        2404025 || ET DROP Known Bot C&C Server Traffic (group 26)  || url,www.shadowserver.org
        2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-virus.rules (16):
        # ref: 01683fba555b59dac497a390e5afea47
        #banker trojan with a custom cnc
        #by Kevin Ross
        # By RPG and Jack Pepper
        #by Tillman Werner
        #Disabling in favor of the preproc and SO rules that are now available
        #ref: d253db84a6d08dbeec6426c4c4d212a6
        # ref: 703432baec9fbd9ffed5fa2af0510166
        # ref: 3ef704eaa54118d277d52a1fe9bbcaa4
        # ref: d96eaa91b6af24f4ed1616a817e5a819
        # ref: 7f417525009a554c82d1329a26c60a90
        # ref: 07fe977eb92b9ecc4b40f182604223fb
        # ref: 2763eedda0b2dc446adb1f84f9f35fc1
        #matt jonkman, re aab13cae762c86e21beb82c7c75fb1cf
        # ref: 452b0c4cefeb0339d69582174954210e
        # ref: 2e79af552fa6d3bd2cb654cc0f15cd76

     -> Added to emerging-web_sql_injection.rules (1):
        #by kevin ross

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (239):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin
        2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET CURRENT_EVENTS Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)
        2009797 || ET TROJAN Bifrose Response from victim
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (239):
        2007829 || ET TROJAN Illusion Bot (Lussilon) Checkin
        2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
        2009024 || ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html
        2009114 || ET CURRENT_EVENTS Downadup/Conficker A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009114 || url,www.f-secure.com/weblog/archives/00001584.html
        2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388
        2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388
        2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/
        2009781 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (Mtune) - GET
        2009782 || ET MALWARE Generic Downloader/Dropper Suspious User-Agent (InPost) - GET
        2009783 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,vil.nai.com/vil/content/v_151034.htm
        2009784 || ET MALWARE Generic Downloader\/Dropper with Rootkit User-Agent \(INT\) - GET
        2009785 || ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown) - GET || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,www.siteadvisor.com/sites/update.qvod.com
        2009786 || ET WEB_SPECIFIC Bitweaver boards_rss.php version Parameter Directory Traversal || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/
        2009787 || ET WEB_SPECIFIC Community CMS view.php article_id Parameter SQL Injection || url,milw0rm.com/exploits/8323 || bugtraq,34303
        2009788 || ET WEB_SPECIFIC RSS-aggregator display.php path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5900 || bugtraq,29873
        2009789 || ET WEB_SPECIFIC TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,vupen.com/english/advisories/2009/1304 || url,milw0rm.com/exploits/8667
        2009790 || ET WEB_SPECIFIC beLive arch.php arch Parameter Local File Inclusion || url,secunia.com/advisories/35059/ || bugtraq,34968 || url,milw0rm.com/exploits/8680
        2009791 || ET WEB_SPECIFIC GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,milw0rm.com/exploits/7117 || url,xforce.iss.net/xforce/xfdb/46638 || url,juniper.net/security/auto/vulnerabilities/vuln32307.html
        2009792 || ET WEB_ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || bugtraq,35582 || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt
        2009793 || ET WEB_SPECIFIC PHP Crawler footer.php footer_file Parameter Remote File Inclusion || url,milw0rm.com/exploits/6475 || bugtraq,31217
        2009794 || ET WEB_SPECIFIC VidShare Pro listing_video.php catid Parameter SQL Injection || bugtraq,35033 || url,milw0rm.com/exploits/8737
        2009795 || ET WEB_SPECIFIC Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || url,milw0rm.com/exploits/8738 || bugtraq,35032
        2009796 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)
        2009797 || ET TROJAN Bifrose Response from victim
        2009798 || ET POLICY Carbonite Online Backup SSL Handshake
        2009800 || ET POLICY Carbonite.com Backup Software Leaking MAC Address
        2009801 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
        2009802 || ET TROJAN KillAV Downloader - GET || url,www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html || url,www.im-infected.com/trojan/trojanwin32killav-dk.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.DK&ThreatID=142699
        2009803 || ET TROJAN Downloader Generic - GET
        2009804 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,vil.nai.com/vil/content/v_156782.htm
        2009805 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none
        2009806 || ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597
        2009807 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,vil.nai.com/vil/content/v_103738.htm
        2009808 || ET TROJAN Win32.Virut - GET || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,free.avg.com/66558 || url,www.avast.com/eng/win32-virut.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut
        2009809 || ET TROJAN Generic/Unknown Downloader Config to client
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-virus.rules (1):
        #ref:a9fc114ac335b1121410fa7ef29d4d73

     -> Removed from emerging.rules (3):
        # By RPG and Jack Pepper
        #by Tillman Werner
        #Disabling in favor of the preproc and SO rules that are now available


From emerging at emergingthreats.net  Sun Sep  6 16:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun,  6 Sep 2009 16:00:13 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090906200013.092244501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun Sep  6 16:00:12 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (76):
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (76):
        2500246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510246 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510247 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510248 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510249 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510250 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510251 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510252 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510253 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510254 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Mon Sep  7 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon,  7 Sep 2009 16:00:12 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090907200012.B12F74504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon Sep  7 16:00:12 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (68):
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (68):
        2500284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From r.fulton at auckland.ac.nz  Tue Sep  8 00:28:11 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Tue, 8 Sep 2009 16:28:11 +1200
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <314cf0830909031016v3b288f4am36e8e09fab9cb3ef@mail.gmail.com>
References: <1251755569.42741.11.camel@localhost>
	<4A9FF7BB.3060207@packetmail.net>
	<e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>
	<e75cc74a0909031013x4e04d56ava25f13ad30eb4e67@mail.gmail.com>
	<314cf0830909031016v3b288f4am36e8e09fab9cb3ef@mail.gmail.com>
Message-ID: <D8F94EC0-A349-4281-9F3F-FE89F88FA158@auckland.ac.nz>


On 4/09/2009, at 5:16 AM, Joel Esler wrote:

> I'll post it again.
>
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html
>
> There are rules, so old, they are in the FREE set, like, pre vrt  
> license set.  Like, pre bleeding snort ever existed set.  Plus, the  
> preprocessor does this for you.  Always has -- by default.

The problem I find with the ftp preprocessor is that we see many hits  
on various (non standard ?) ftp servers -- yes, I've tweaked the snort  
conf to add some commands but we still see lots of hits on fairly  
standard stuff. I has got to the stage where I am suppressing quite a  
few of the sids.  Also we have some ftp servers with *very* long  
directory trees and these trigger some of the rules.

Can't win :)

Russell 

From signatures at stillsecure.com  Tue Sep  8 04:55:57 2009
From: signatures at stillsecure.com (signatures)
Date: Tue, 8 Sep 2009 02:55:57 -0600
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Sep - 08 - 2009
Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C293D@webmail.latis.com>

Hi Matt,

Please find 10 New Signatures below:

1.       WEB-PHP XRMS CRM workflow-activities.php include_directory Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP XRMS CRM workflow-activities.php include_directory Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/activities/workflow-activities.php?";nocase; uricontent:"include_directory="; nocase; pcre:"/include_directory=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2008-3399; reference:url,milw0rm.com/exploits/6131; reference:url,xforce.iss.net/xforce/xfdb/43992; sid:7613; rev:1;)



2.       WEB-PHP PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/converter.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; classtype:web-application-attack;reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; sid:7614; rev:1;)



3.       WEB-PHP PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/messages.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; classtype:web-application-attack; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; sid:7615; rev:1;)



4.       WEB-PHP PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/settings.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; classtype:web-application-attack; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; sid:7616; rev:1;)



5.       WEB-PHP cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; classtype:web-application-attack; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; sid:7617; rev:1;)



6.       WEB-PHP cpCommerce _functions.php GLOBALS Parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP cpCommerce _functions.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; sid:7618; rev:1;)



7.       WEB-PHP Dokuwiki doku.php config_cascade Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/doku.php?"; nocase; uricontent:"config_cascade[main][default][]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; sid:7619; rev:1;)



8.       WEB-PHP VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin.googlebase.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; sid:7636; rev:1;)



9.       WEB-PHP Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/mypage.php?"; nocase; uricontent:"trg="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32467; reference:bugtraq,31986; reference:url,milw0rm.com/exploits/6874; sid:7638; rev:1;)



10.   WEB-ATTACKS office web component ActiveX memory allocation vuln clsid access
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS office web component ActiveX memory allocation vuln clsid access"; flow:established,to_client; content:"0002E543-0000-0000-C000-000000000046"; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E543-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; reference:bugtraq,35990; reference:cve,2009-0562; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx <http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx> ; sid:9084; rev:2;)

Looking for your comments, if any...

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/245072be/attachment-0001.html

From mail at mare-system.de  Tue Sep  8 05:20:12 2009
From: mail at mare-system.de (mare-technik)
Date: Tue, 08 Sep 2009 11:20:12 +0200
Subject: [Emerging-Sigs] emerging.rules.tar.gz corrupt?
Message-ID: <4AA621CC.3080903@mare-system.de>


while trying to oink-update some rulesets i get an
error when doing the ET rulesets: 


Loading oinkmaster.conf
Downloading file from http://www.emergingthreats.net/rules/emerging.rules.tar.gz... done.
tar: Unerwartetes Dateiende im Archiv.  *)
tar: Nicht behebbarer Fehler: Programmabbruch.  **) 

./snort-ruler/misc/oinkmaster/oinkmaster.pl: Error: http://www.emergingthreats.net/rules/emerging.rules.tar.gz: could not list files in tar archive (is it broken?)


i can download the archive via webbrowser, and i can check it with
mc (midnight commander), but i can' extract it via tar or any
other archive-program. 



-------------------------------------------

google-translation
*)  Unexpected end of file in the archive
**) Unrecoverable error: Program Termination


-- 


mex


MARE System Kiel      .:.   http://www.mare-system.de

From evilghost at packetmail.net  Tue Sep  8 08:44:37 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 07:44:37 -0500
Subject: [Emerging-Sigs] emerging.rules.tar.gz corrupt?
In-Reply-To: <4AA621CC.3080903@mare-system.de>
References: <4AA621CC.3080903@mare-system.de>
Message-ID: <4AA651B5.5060904@packetmail.net>

I agree, it looks like a bad archive, right around line #802 in 
emerging-rbn.rules the archive fails/is truncated.  I had to re-push my 
rules using the ZIP archive.

rules/emerging-rbn.rules
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now'

The ZIP file, emerging.rules.zip, appears unaffected.  md5 matches.

mare-technik wrote:
> while trying to oink-update some rulesets i get an
> error when doing the ET rulesets: 
>
>
> Loading oinkmaster.conf
> Downloading file from http://www.emergingthreats.net/rules/emerging.rules.tar.gz... done.
> tar: Unerwartetes Dateiende im Archiv.  *)
> tar: Nicht behebbarer Fehler: Programmabbruch.  **) 
>
> ./snort-ruler/misc/oinkmaster/oinkmaster.pl: Error: http://www.emergingthreats.net/rules/emerging.rules.tar.gz: could not list files in tar archive (is it broken?)
>
>
> i can download the archive via webbrowser, and i can check it with
> mc (midnight commander), but i can' extract it via tar or any
> other archive-program. 
>
>
>
> -------------------------------------------
>
> google-translation
> *)  Unexpected end of file in the archive
> **) Unrecoverable error: Program Termination
>
>
>   

From jonkman at jonkmans.com  Tue Sep  8 08:48:27 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 08:48:27 -0400
Subject: [Emerging-Sigs] emerging.rules.tar.gz corrupt?
In-Reply-To: <4AA651B5.5060904@packetmail.net>
References: <4AA621CC.3080903@mare-system.de> <4AA651B5.5060904@packetmail.net>
Message-ID: <4AA6529B.9020008@jonkmans.com>

Sorry for that, we had a runaway backup fill a disk last night. All
fixed up and a non-corrupt tarball is now available.

Look better now?

Matt

evilghost at packetmail.net wrote:
> I agree, it looks like a bad archive, right around line #802 in 
> emerging-rbn.rules the archive fails/is truncated.  I had to re-push my 
> rules using the ZIP archive.
> 
> rules/emerging-rbn.rules
> tar: Unexpected EOF in archive
> tar: Unexpected EOF in archive
> tar: Error is not recoverable: exiting now'
> 
> The ZIP file, emerging.rules.zip, appears unaffected.  md5 matches.
> 
> mare-technik wrote:
>> while trying to oink-update some rulesets i get an
>> error when doing the ET rulesets: 
>>
>>
>> Loading oinkmaster.conf
>> Downloading file from http://www.emergingthreats.net/rules/emerging.rules.tar.gz... done.
>> tar: Unerwartetes Dateiende im Archiv.  *)
>> tar: Nicht behebbarer Fehler: Programmabbruch.  **) 
>>
>> ./snort-ruler/misc/oinkmaster/oinkmaster.pl: Error: http://www.emergingthreats.net/rules/emerging.rules.tar.gz: could not list files in tar archive (is it broken?)
>>
>>
>> i can download the archive via webbrowser, and i can check it with
>> mc (midnight commander), but i can' extract it via tar or any
>> other archive-program. 
>>
>>
>>
>> -------------------------------------------
>>
>> google-translation
>> *)  Unexpected end of file in the archive
>> **) Unrecoverable error: Program Termination
>>
>>
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From evilghost at packetmail.net  Tue Sep  8 08:55:39 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 07:55:39 -0500
Subject: [Emerging-Sigs] emerging.rules.tar.gz corrupt?
In-Reply-To: <4AA6529B.9020008@jonkmans.com>
References: <4AA621CC.3080903@mare-system.de> <4AA651B5.5060904@packetmail.net>
	<4AA6529B.9020008@jonkmans.com>
Message-ID: <4AA6544B.70606@packetmail.net>

Looks good, thanks Matt.

Matt Jonkman wrote:
> Sorry for that, we had a runaway backup fill a disk last night. All
> fixed up and a non-corrupt tarball is now available.
>
> Look better now?
>
> Matt
>
> evilghost at packetmail.net wrote:
>   
>> I agree, it looks like a bad archive, right around line #802 in 
>> emerging-rbn.rules the archive fails/is truncated.  I had to re-push my 
>> rules using the ZIP archive.
>>
>> rules/emerging-rbn.rules
>> tar: Unexpected EOF in archive
>> tar: Unexpected EOF in archive
>> tar: Error is not recoverable: exiting now'
>>
>> The ZIP file, emerging.rules.zip, appears unaffected.  md5 matches.
>>
>> mare-technik wrote:
>>     
>>> while trying to oink-update some rulesets i get an
>>> error when doing the ET rulesets: 
>>>
>>>
>>> Loading oinkmaster.conf
>>> Downloading file from http://www.emergingthreats.net/rules/emerging.rules.tar.gz... done.
>>> tar: Unerwartetes Dateiende im Archiv.  *)
>>> tar: Nicht behebbarer Fehler: Programmabbruch.  **) 
>>>
>>> ./snort-ruler/misc/oinkmaster/oinkmaster.pl: Error: http://www.emergingthreats.net/rules/emerging.rules.tar.gz: could not list files in tar archive (is it broken?)
>>>
>>>
>>> i can download the archive via webbrowser, and i can check it with
>>> mc (midnight commander), but i can' extract it via tar or any
>>> other archive-program. 
>>>
>>>
>>>
>>> -------------------------------------------
>>>
>>> google-translation
>>> *)  Unexpected end of file in the archive
>>> **) Unrecoverable error: Program Termination
>>>
>>>
>>>   
>>>       
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>   

From eslerj at gmail.com  Tue Sep  8 09:03:27 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 09:03:27 -0400
Subject: [Emerging-Sigs] IIS-FTP exploit signature (milw0rm) released
In-Reply-To: <D8F94EC0-A349-4281-9F3F-FE89F88FA158@auckland.ac.nz>
References: <1251755569.42741.11.camel@localhost>
	<4A9FF7BB.3060207@packetmail.net>
	<e75cc74a0909031010r5c8c41e7p2d44913f1fc1dae2@mail.gmail.com>
	<e75cc74a0909031013x4e04d56ava25f13ad30eb4e67@mail.gmail.com>
	<314cf0830909031016v3b288f4am36e8e09fab9cb3ef@mail.gmail.com>
	<D8F94EC0-A349-4281-9F3F-FE89F88FA158@auckland.ac.nz>
Message-ID: <314cf0830909080603od34bcccv9a6192b9ac863d4e@mail.gmail.com>

On Tue, Sep 8, 2009 at 12:28 AM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:

>
> On 4/09/2009, at 5:16 AM, Joel Esler wrote:
>
> > I'll post it again.
> >
> >
> http://vrt-sourcefire.blogspot.com/2009/09/microsoft-iis-ftp-vulnerability.html
> >
> > There are rules, so old, they are in the FREE set, like, pre vrt
> > license set.  Like, pre bleeding snort ever existed set.  Plus, the
> > preprocessor does this for you.  Always has -- by default.
>
> The problem I find with the ftp preprocessor is that we see many hits
> on various (non standard ?) ftp servers -- yes, I've tweaked the snort
> conf to add some commands but we still see lots of hits on fairly
> standard stuff. I has got to the stage where I am suppressing quite a
> few of the sids.  Also we have some ftp servers with *very* long
> directory trees and these trigger some of the rules.
>

You can specify individual IPs for those directory trees and increase the
length of the lines.  I assume you know that though.


>
> Can't win :)
>
>
Sure you can.  I do it for a living :)

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/d4ce8ca5/attachment.html

From mail at mare-system.de  Tue Sep  8 09:53:12 2009
From: mail at mare-system.de (mare-technik)
Date: Tue, 08 Sep 2009 15:53:12 +0200
Subject: [Emerging-Sigs] emerging.rules.tar.gz corrupt?
In-Reply-To: <4AA6529B.9020008@jonkmans.com>
References: <4AA621CC.3080903@mare-system.de> <4AA651B5.5060904@packetmail.net>
	<4AA6529B.9020008@jonkmans.com>
Message-ID: <4AA661C8.9000908@mare-system.de>


works now, thanx.



Matt Jonkman wrote:
> Sorry for that, we had a runaway backup fill a disk last night. All
> fixed up and a non-corrupt tarball is now available.
> 
> Look better now?
> 
> Matt
> 

From jonkman at jonkmans.com  Tue Sep  8 11:15:07 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 11:15:07 -0400
Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Sep - 08 - 2009
In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C293D@webmail.latis.com>
References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C293D@webmail.latis.com>
Message-ID: <4AA674FB.1050801@jonkmans.com>

All posted, thanks!

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1.       *WEB-PHP XRMS CRM workflow-activities.php include_directory
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> XRMS CRM workflow-activities.php include_directory Remote File
> Inclusion"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/activities/workflow-activities.php?";nocase;
> uricontent:"include_directory="; nocase;
> pcre:"/include_directory=\s*(https?|ftps?|php)\:\//Ui";
> classtype:web-application-attack; reference:cve,CVE-2008-3399;
> reference:url,milw0rm.com/exploits/6131;
> reference:url,xforce.iss.net/xforce/xfdb/43992; sid:7613; rev:1;)
> 
> 2.       *WEB-PHP PHPauction GPL converter.inc.php include_path
> Parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> PHPauction GPL converter.inc.php include_path Parameter Remote File
> Inclusion"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/converter.inc.php?"; nocase;
> uricontent:"include_path="; nocase;
> pcre:"/include_path=\s*(ftps?|https?|php)\://Ui";
> classtype:web-application-attack;reference:url,vupen.com/english/advisories/2008/0908;
> reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266;
> sid:7614; rev:1;)
> 
> 3.       *WEB-PHP PHPauction GPL messages.inc.php include_path Parameter
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> PHPauction GPL messages.inc.php include_path Parameter Remote File
> Inclusion"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/messages.inc.php?"; nocase;
> uricontent:"include_path="; nocase;
> pcre:"/include_path=\s*(ftps?|https?|php)\://Ui";
> classtype:web-application-attack;
> reference:url,vupen.com/english/advisories/2008/0908;
> reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266;
> sid:7615; rev:1;)
> 
> 4.       *WEB-PHP PHPauction GPL settings.inc.php include_path Parameter
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> PHPauction GPL settings.inc.php include_path Parameter Remote File
> Inclusion"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/settings.inc.php?"; nocase;
> uricontent:"include_path="; nocase;
> pcre:"/include_path=\s*(ftps?|https?|php)\://Ui";
> classtype:web-application-attack;
> reference:url,vupen.com/english/advisories/2008/0908;
> reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266;
> sid:7616; rev:1;)
> 
> 5.       *WEB-PHP cpCommerce _functions.php GLOBALS Parameter Remote
> File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]=";
> nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui";
> classtype:web-application-attack; reference:bugtraq,35103;
> reference:url,milw0rm.com/exploits/8790; sid:7617; rev:1;)
> 
> 6.       *WEB-PHP cpCommerce _functions.php GLOBALS Parameter Local File
> Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> cpCommerce _functions.php GLOBALS Parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]=";
> nocase; content:"../"; classtype:web-application-attack;
> reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790;
> sid:7618; rev:1;)
> 
> 7.       *WEB-PHP Dokuwiki doku.php config_cascade Local File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Dokuwiki doku.php config_cascade Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/doku.php?"; nocase;
> uricontent:"config_cascade[main][default][]="; nocase; content:"../";
> classtype:web-application-attack; reference:bugtraq,35095;
> reference:url,milw0rm.com/exploits/8781; sid:7619; rev:1;)
> 
> 8.       *WEB-PHP VirtueMart Google Base Component admin.googlebase.php
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> VirtueMart Google Base Component admin.googlebase.php Remote File
> Inclusion"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/admin.googlebase.php?"; nocase;
> uricontent:"mosConfig_absolute_path="; nocase;
> pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32098;
> reference:url,milw0rm.com/exploits/6975; sid:7636; rev:1;)
> 
> 9.       *WEB-PHP Harlandscripts Pro Traffic One mypage.php trg
> Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/mypage.php?"; nocase; uricontent:"trg="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/32467; reference:bugtraq,31986;
> reference:url,milw0rm.com/exploits/6874; sid:7638; rev:1;)
> 
> 10.   *WEB-ATTACKS office web component ActiveX memory allocation vuln
> clsid access*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> office web component ActiveX memory allocation vuln clsid access";
> flow:established,to_client;
> content:"0002E543-0000-0000-C000-000000000046"; nocase;
> pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E543-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si";
> classtype:attempted-user; reference:bugtraq,35990;
> reference:cve,2009-0562;
> reference:url,www.microsoft.com/technet/security/Bulletin/MS09-043.mspx
> <http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx>;
> sid:9084; rev:2;)
> 
> Looking for your comments, if any?
> 
>  
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From campesic at centenarycollege.edu  Tue Sep  8 12:09:05 2009
From: campesic at centenarycollege.edu (Campesi, Christopher)
Date: Tue, 8 Sep 2009 12:09:05 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
Message-ID: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff
|SMB";distance:3;content:"|00
26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com
/exploitalert/7138;sid:XXXXXXXXX;rev:1;)

 

http://securityreason.com/exploitalert/7138

 

 

-Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/bde29156/attachment.html

From jonkman at jonkmans.com  Tue Sep  8 12:27:48 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 12:27:48 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
Message-ID: <4AA68604.7090009@jonkmans.com>

Thanks Christopher, posted for testing. Please give feedback. This is an
ugly problem...

Matt

Campesi, Christopher wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> 
>  
> 
> http://securityreason.com/exploitalert/7138
> 
>  
> 
>  
> 
> -Chris
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From evilghost at packetmail.net  Tue Sep  8 12:46:57 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 11:46:57 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA68604.7090009@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com>
Message-ID: <4AA68A81.40302@packetmail.net>

Falsing heavily here, as in, mapping the network.  I can provide 
specifics if necessary.

Matt Jonkman wrote:
> Thanks Christopher, posted for testing. Please give feedback. This is an
> ugly problem...
>
> Matt
>
> Campesi, Christopher wrote:
>   
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>> 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
>>
>>  
>>
>> http://securityreason.com/exploitalert/7138
>>
>>  
>>
>>  
>>
>> -Chris
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>   

From kevross33 at googlemail.com  Tue Sep  8 12:49:17 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Tue, 8 Sep 2009 17:49:17 +0100
Subject: [Emerging-Sigs] Multiple HTTP ACTi nvUnifiedControl Sigs
Message-ID: <e75cc74a0909080949r7aa45b18oa367118189a28709@mail.gmail.com>

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_ACTIVEX
Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt";
flow:established,from_server; content:"clsid"; nocase;
content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; distance:0;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si";
classtype:attempted-user; reference:url,
tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429;
reference:url,
www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546;
reference:url,www.securityfocus.com/bid/25465; sid:12000001; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB_ACTIVEX
Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll
Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server;
content:"clsid"; nocase; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3";
nocase; distance:0;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si";
classtype:attempted-user; reference:url,
tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429;
reference:url,
www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546;
reference:url,www.securityfocus.com/bid/25465; sid:12000002; rev:1;)

Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/a2c02ded/attachment.html

From jaxgough at hotmail.com  Tue Sep  8 12:55:13 2009
From: jaxgough at hotmail.com (Jax Gough)
Date: Tue, 8 Sep 2009 17:55:13 +0100
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA68A81.40302@packetmail.net>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com>  <4AA68A81.40302@packetmail.net>
Message-ID: <BLU106-W2724567084A3EDB1781744CEEA0@phx.gbl>


Hi,

 

I am using

 

\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x26


(yes it is a cut and paste and clip from the code)

 

got it in Niksun and Juniper, so far no false positives, only true ones.  Won't take much to render this useless.

 

Cheers,

 

Jax

 
> From: evilghost at packetmail.net
> To: jonkman at jonkmans.com
> Date: Tue, 8 Sep 2009 11:46:57 -0500
> CC: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> 
> Falsing heavily here, as in, mapping the network. I can provide 
> specifics if necessary.
> 
> Matt Jonkman wrote:
> > Thanks Christopher, posted for testing. Please give feedback. This is an
> > ugly problem...
> >
> > Matt
> >
> > Campesi, Christopher wrote:
> > 
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
> >> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> >> 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> >>
> >> 
> >>
> >> http://securityreason.com/exploitalert/7138
> >>
> >> 
> >>
> >> 
> >>
> >> -Chris
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >> 
> >
> > 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/7c7f9c2c/attachment.html

From jonkman at jonkmans.com  Tue Sep  8 13:47:13 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 13:47:13 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA68A81.40302@packetmail.net>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com>
	<4AA68A81.40302@packetmail.net>
Message-ID: <4AA698A1.1050104@jonkmans.com>

Internal to internal? Or external inbound?

Matt

evilghost at packetmail.net wrote:
> Falsing heavily here, as in, mapping the network.  I can provide 
> specifics if necessary.
> 
> Matt Jonkman wrote:
>> Thanks Christopher, posted for testing. Please give feedback. This is an
>> ugly problem...
>>
>> Matt
>>
>> Campesi, Christopher wrote:
>>   
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>> 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
>>>
>>>  
>>>
>>> http://securityreason.com/exploitalert/7138
>>>
>>>  
>>>
>>>  
>>>
>>> -Chris
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>     
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From evilghost at packetmail.net  Tue Sep  8 14:19:59 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 13:19:59 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA698A1.1050104@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com>
	<4AA68A81.40302@packetmail.net> <4AA698A1.1050104@jonkmans.com>
Message-ID: <4AA6A04F.8060607@packetmail.net>

var HOME_NET [10.0.0.0/8]
var EXTERNAL_NET any

RFC1918 -> RFC1918

One of many examples, some including

11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags 
[P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08  E....D at .........
        0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1  .`...m..."..l.8.
        0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42  P..y.w.......SMB
        0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3  %.........k.y;w.
        0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034  .s...x.....L...4
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
        0x0060:  0054 0034 0054 0002 0026 000e c045 0000  .T.4.T...&...E..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000  ........4.......
        0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc  ............u.<.
        0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff  C..H.S.V.$B.....
        0x00b0:  007d 0000                                .}..

11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags 
[P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08  E....G at .........
        0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28  .`...m..."..l.:(
        0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42  P....P.......SMB
        0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16  %.........0.....
        0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c  .....x....DM...,
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
        0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000  .T.,.T...&...=..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000  ........,.......
        0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc  ............u.<.
        0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.

11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags 
[P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08  E....;@.........
        0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8  .`...m...".6l.5.
        0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42  P............SMB
        0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920  %..........R:x..
        0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058  F....x.....J...X
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
        0x0060:  0054 0058 0054 0002 0026 0009 c069 0000  .T.X.T...&...i..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 5800 0000 0700 0000  ........X.......
        0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000  @.....,..(......
        (*SNIPPED*)





Matt Jonkman wrote:
> Internal to internal? Or external inbound?
>
> Matt
>
> evilghost at packetmail.net wrote:
>   
>> Falsing heavily here, as in, mapping the network.  I can provide 
>> specifics if necessary.
>>
>> Matt Jonkman wrote:
>>     
>>> Thanks Christopher, posted for testing. Please give feedback. This is an
>>> ugly problem...
>>>
>>> Matt
>>>
>>> Campesi, Christopher wrote:
>>>   
>>>       
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>> 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
>>>>
>>>>  
>>>>
>>>> http://securityreason.com/exploitalert/7138
>>>>
>>>>  
>>>>
>>>>  
>>>>
>>>> -Chris
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>     
>>>>         
>>>   
>>>       
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/8e0b1d9d/attachment-0001.html

From campesic at centenarycollege.edu  Tue Sep  8 14:46:37 2009
From: campesic at centenarycollege.edu (Campesi, Christopher)
Date: Tue, 8 Sep 2009 14:46:37 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6A04F.8060607@packetmail.net>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com><4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
Message-ID: <42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>

 I looked at the results of the sig and it hit way more than I expected,
sorry about that. I took what Jax replied with and used that as the only
content match, that resulted in no FPs so far, like he said.

 

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00
00 00 18 53 c8 00
26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/e
xploitalert/7138;sid:XXXXXXXXX;rev:1;)

 

-Chris

From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of
evilghost at packetmail.net
Sent: Tuesday, September 08, 2009 2:20 PM
To: Matt Jonkman
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit

 

var HOME_NET [10.0.0.0/8]
var EXTERNAL_NET any

RFC1918 -> RFC1918

One of many examples, some including 

11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
[P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
E....D at .........
        0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
.`...m..."..l.8.
        0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
P..y.w.......SMB
        0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
%.........k.y;w.
        0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
.s...x.....L...4
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
................
        0x0060:  0054 0034 0054 0002 0026 000e c045 0000
.T.4.T...&...E..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
\.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
........4.......
        0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
............u.<.
        0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
C..H.S.V.$B.....
        0x00b0:  007d 0000                                .}..

11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
[P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
E....G at .........
        0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
.`...m..."..l.:(
        0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
P....P.......SMB
        0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
%.........0.....
        0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
.....x....DM...,
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
................
        0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
.T.,.T...&...=..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
\.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
........,.......
        0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
............u.<.
        0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.

11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
[P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)

        0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
E....;@.........
        0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
.`...m...".6l.5.
        0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
P............SMB
        0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
%..........R:x..
        0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
F....x.....J...X
        0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
................
        0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
.T.X.T...&...i..
        0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
\.P.I.P.E.\.....
        0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
........X.......
        0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
@.....,..(......
        (*SNIPPED*)





Matt Jonkman wrote: 

Internal to internal? Or external inbound?
 
Matt
 
evilghost at packetmail.net wrote:
  

	Falsing heavily here, as in, mapping the network.  I can provide

	specifics if necessary.
	 
	Matt Jonkman wrote:
	    

		Thanks Christopher, posted for testing. Please give
feedback. This is an
		ugly problem...
		 
		Matt
		 
		Campesi, Christopher wrote:
		  
		      

			alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(msg:"Remote SMB2.0 DoS
	
Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff
|SMB";distance:3;content:"|00
	
26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com
/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
			 
			 
			 
			http://securityreason.com/exploitalert/7138
			 
			 
			 
			 
			 
			-Chris
			 
			 
	
------------------------------------------------------------------------
			 
			_______________________________________________
			Emerging-sigs mailing list
			Emerging-sigs at emergingthreats.net
	
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
			    
			        

		  
		      

	_______________________________________________
	Emerging-sigs mailing list
	Emerging-sigs at emergingthreats.net
	http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
	    

 
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/0f9b8677/attachment.html

From jonkman at jonkmans.com  Tue Sep  8 14:51:47 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 14:51:47 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com><4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
Message-ID: <4AA6A7C3.5060206@jonkmans.com>

Committed, again all please test. Thanks Jax and Christopher!

Matt

Campesi, Christopher wrote:
>  I looked at the results of the sig and it hit way more than I expected,
> sorry about that. I took what Jax replied with and used that as the only
> content match, that resulted in no FPs so far, like he said.
> 
>  
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
> SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00
> 00 00 18 53 c8 00
> 26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> 
>  
> 
> -Chris
> 
> *From:* emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] *On Behalf Of
> *evilghost at packetmail.net
> *Sent:* Tuesday, September 08, 2009 2:20 PM
> *To:* Matt Jonkman
> *Cc:* Emerging Threats Signatures
> *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> 
>  
> 
> var HOME_NET [10.0.0.0/8]
> var EXTERNAL_NET any
> 
> RFC1918 -> RFC1918
> 
> One of many examples, some including
> 
> 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)
> 
>         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08  E....D at .........
>         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1  .`...m..."..l.8.
>         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42  P..y.w.......SMB
>         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3  %.........k.y;w.
>         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034  .s...x.....L...4
>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>         0x0060:  0054 0034 0054 0002 0026 000e c045 0000  .T.4.T...&...E..
>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000  ........4.......
>         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc  ............u.<.
>         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff  C..H.S.V.$B.....
>         0x00b0:  007d 0000                                .}..
> 
> 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)
> 
>         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08  E....G at .........
>         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28  .`...m..."..l.:(
>         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42  P....P.......SMB
>         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16  %.........0.....
>         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c  .....x....DM...,
>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000  .T.,.T...&...=..
>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000  ........,.......
>         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc  ............u.<.
>         0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.
> 
> 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)
> 
>         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08  E....;@.........
>         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8  .`...m...".6l.5.
>         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42  P............SMB
>         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920  %..........R:x..
>         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058  F....x.....J...X
>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000  .T.X.T...&...i..
>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000  ........X.......
>         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000  @.....,..(......
>         (*SNIPPED*)
> 
> 
> 
> 
> 
> Matt Jonkman wrote:
> 
> Internal to internal? Or external inbound?
> 
>  
> 
> Matt
> 
>  
> 
> evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
> 
>   
> 
>     Falsing heavily here, as in, mapping the network.  I can provide 
> 
>     specifics if necessary.
> 
>      
> 
>     Matt Jonkman wrote:
> 
>         
> 
>         Thanks Christopher, posted for testing. Please give feedback. This is an
> 
>         ugly problem...
> 
>          
> 
>         Matt
> 
>          
> 
>         Campesi, Christopher wrote:
> 
>           
> 
>               
> 
>             alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
> 
>             Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> 
>             26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> 
>              
> 
>              
> 
>              
> 
>             http://securityreason.com/exploitalert/7138
> 
>              
> 
>              
> 
>              
> 
>              
> 
>              
> 
>             -Chris
> 
>              
> 
>              
> 
>             ------------------------------------------------------------------------
> 
>              
> 
>             _______________________________________________
> 
>             Emerging-sigs mailing list
> 
>             Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
> 
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>                 
> 
>                     
> 
>           
> 
>               
> 
>     _______________________________________________
> 
>     Emerging-sigs mailing list
> 
>     Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
> 
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>         
> 
>  
> 
>   
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Tue Sep  8 14:54:23 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 14:54:23 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6A7C3.5060206@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
Message-ID: <314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>

FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
J

On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Committed, again all please test. Thanks Jax and Christopher!
>
> Matt
>
> Campesi, Christopher wrote:
> >  I looked at the results of the sig and it hit way more than I expected,
> > sorry about that. I took what Jax replied with and used that as the only
> > content match, that resulted in no FPs so far, like he said.
> >
> >
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
> > SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00
> > 00 00 18 53 c8 00
> > 26|";offset:4;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> >
> >
> >
> > -Chris
> >
> > *From:* emerging-sigs-bounces at emergingthreats.net
> > [mailto:emerging-sigs-bounces at emergingthreats.net] *On Behalf Of
> > *evilghost at packetmail.net
> > *Sent:* Tuesday, September 08, 2009 2:20 PM
> > *To:* Matt Jonkman
> > *Cc:* Emerging Threats Signatures
> > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> >
> >
> >
> > var HOME_NET [10.0.0.0/8]
> > var EXTERNAL_NET any
> >
> > RFC1918 -> RFC1918
> >
> > One of many examples, some including
> >
> > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)
> >
> >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08  E....D@
> .........
> >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>  .`...m..."..l.8.
> >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>  P..y.w.......SMB
> >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>  %.........k.y;w.
> >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>  .s...x.....L...4
> >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>  ................
> >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>  .T.4.T...&...E..
> >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>  \.P.I.P.E.\.....
> >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>  ........4.......
> >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>  ............u.<.
> >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>  C..H.S.V.$B.....
> >         0x00b0:  007d 0000                                .}..
> >
> > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)
> >
> >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08  E....G@
> .........
> >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>  .`...m..."..l.:(
> >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>  P....P.......SMB
> >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>  %.........0.....
> >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>  .....x....DM...,
> >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>  ................
> >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>  .T.,.T...&...=..
> >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>  \.P.I.P.E.\.....
> >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>  ........,.......
> >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>  ............u.<.
> >         0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.
> >
> > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)
> >
> >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08  E....;@
> .........
> >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>  .`...m...".6l.5.
> >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>  P............SMB
> >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>  %..........R:x..
> >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>  F....x.....J...X
> >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>  ................
> >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>  .T.X.T...&...i..
> >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>  \.P.I.P.E.\.....
> >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>  ........X.......
> >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>  @.....,..(......
> >         (*SNIPPED*)
> >
> >
> >
> >
> >
> > Matt Jonkman wrote:
> >
> > Internal to internal? Or external inbound?
> >
> >
> >
> > Matt
> >
> >
> >
> > evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
> >
> >
> >
> >     Falsing heavily here, as in, mapping the network.  I can provide
> >
> >     specifics if necessary.
> >
> >
> >
> >     Matt Jonkman wrote:
> >
> >
> >
> >         Thanks Christopher, posted for testing. Please give feedback.
> This is an
> >
> >         ugly problem...
> >
> >
> >
> >         Matt
> >
> >
> >
> >         Campesi, Christopher wrote:
> >
> >
> >
> >
> >
> >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote
> SMB2.0 DoS
> >
> >
> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> >
> >             26|";distance:7;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> >
> >
> >
> >
> >
> >
> >
> >             http://securityreason.com/exploitalert/7138
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >             -Chris
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> >
> >
> >             _______________________________________________
> >
> >             Emerging-sigs mailing list
> >
> >             Emerging-sigs at emergingthreats.net <mailto:
> Emerging-sigs at emergingthreats.net>
> >
> >
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >     _______________________________________________
> >
> >     Emerging-sigs mailing list
> >
> >     Emerging-sigs at emergingthreats.net <mailto:
> Emerging-sigs at emergingthreats.net>
> >
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> >
> >
> >
> >
> >
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/2c8303b9/attachment.html

From bojan.isc at gmail.com  Tue Sep  8 15:28:15 2009
From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC))
Date: Tue, 8 Sep 2009 21:28:15 +0200
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
Message-ID: <9d6a1ae60909081228j62658462qb59762a259d9fba8@mail.gmail.com>

On Tue, Sep 8, 2009 at 8:46 PM, Campesi,
Christopher<campesic at centenarycollege.edu> wrote:
> ?I looked at the results of the sig and it hit way more than I expected,
> sorry about that. I took what Jax replied with and used that as the only
> content match, that resulted in no FPs so far, like he said.
>
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8 SMB2.0
> DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00 00 00 18
> 53 c8 00
> 26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)

A better signature (if I'm not wrong) would be to check the last two
bytes (00 26 in your example) and if they are not 00 00. Any other
value is not legitimate and 00 26 will change depending on the
exploit.

You can try sending different values and see if they affect the target
machine (I think they will).

So, I think it should be something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00
00 00 00 18 53 c8|"; offset:4; content:!"|00
00|";classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)

Bojan

From frank at knobbe.us  Tue Sep  8 16:00:05 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 08 Sep 2009 15:00:05 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <9d6a1ae60909081228j62658462qb59762a259d9fba8@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<9d6a1ae60909081228j62658462qb59762a259d9fba8@mail.gmail.com>
Message-ID: <1252440005.55402.108.camel@localhost>

On Tue, 2009-09-08 at 21:28 +0200, Bojan Zdrnja (SANS ISC) wrote:
> A better signature (if I'm not wrong) would be to check the last two
> bytes (00 26 in your example) and if they are not 00 00. Any other
> value is not legitimate and 00 26 will change depending on the
> exploit.
> 
> You can try sending different values and see if they affect the target
> machine (I think they will).
> 
> So, I think it should be something like:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
> SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00
> 00 00 00 18 53 c8|"; offset:4; content:!"|00
> 00|";classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)

That's what I was suggesting in IRC earlier. Especially since this thing
may even be exploitable. See:
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/aff93915/attachment.bin

From emerging at emergingthreats.net  Tue Sep  8 16:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue,  8 Sep 2009 16:00:13 -0400 (EDT)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20090908200013.777EA4501B@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue Sep  8 16:00:13 2009 [***]

[+++]          Added rules:          [+++]

 2009868 - ET WEB_ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt (emerging-web.rules)
 2009869 - ET WEB_ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt (emerging-web.rules)
 2009870 - ET WEB_SPECIFIC XRMS CRM workflow-activities.php include_directory Remote File Inclusion (emerging-web_sql_injection.rules)
 2009871 - ET WEB_SPECIFIC PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009872 - ET WEB_SPECIFIC PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009873 - ET WEB_SPECIFIC PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009874 - ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2009875 - ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2009876 - ET WEB_SPECIFIC Dokuwiki doku.php config_cascade Local File Inclusion (emerging-web_sql_injection.rules)
 2009877 - ET WEB_SPECIFIC VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion (emerging-web_sql_injection.rules)
 2009878 - ET WEB_SPECIFIC Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection (emerging-web_sql_injection.rules)
 2009880 - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 (emerging-malware.rules)
 2009881 - ET WEB_SPECIFIC Possible Joomla Com_joomlub Component Union Select SQL Injection (emerging-web_sql_injection.rules)
 2009882 - ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool (emerging-scan.rules)
 2009883 - ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected (emerging-scan.rules)
 2009884 - ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan (emerging-scan.rules)
 2009885 - ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack (emerging-scan.rules)
 2009886 - ET CURRENT_EVENTS Remote SMB2.0 DoS Exploit (emerging.rules)


[///]     Modified active rules:     [///]

 2009824 - ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet (emerging-virus.rules)


[---]         Removed rules:         [---]

 2002195 - ET MALWARE Casalemedia Spyware Reporting URL Visited1 (emerging-malware.rules)
 2002196 - ET MALWARE Casalemedia Spyware Reporting URL Visited2 (emerging-malware.rules)
 2003366 - ET MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3 (emerging-malware.rules)
 2009865 - ET TROJAN Unknown CnC Channel Keep Alive (emerging-virus.rules)
 2009866 - ET TROJAN Unknown CnC Channel Keep Alive Server Response (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (42):
        2009868 || ET WEB_ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt || url,securitytracker.com/alerts/2009/Aug/1022752.html
        2009869 || ET WEB_ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt || url,www.securityfocus.com/bid/36217/info
        2009870 || ET WEB_SPECIFIC XRMS CRM workflow-activities.php include_directory Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43992 || url,milw0rm.com/exploits/6131 || cve,CVE-2008-3399
        2009871 || ET WEB_SPECIFIC PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009872 || ET WEB_SPECIFIC PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009873 || ET WEB_SPECIFIC PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009874 || ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion || url,milw0rm.com/exploits/8790 || bugtraq,35103
        2009875 || ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Local File Inclusion || url,milw0rm.com/exploits/8790 || bugtraq,35103
        2009876 || ET WEB_SPECIFIC Dokuwiki doku.php config_cascade Local File Inclusion || url,milw0rm.com/exploits/8781 || bugtraq,35095
        2009877 || ET WEB_SPECIFIC VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion || url,milw0rm.com/exploits/6975 || bugtraq,32098
        2009878 || ET WEB_SPECIFIC Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection || url,milw0rm.com/exploits/6874 || bugtraq,31986 || url,secunia.com/advisories/32467
        2009880 || ET MALWARE Casalemedia Spyware Reporting URL Visited 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com
        2009881 || ET WEB_SPECIFIC Possible Joomla Com_joomlub Component Union Select SQL Injection || url,www.milw0rm.com/exploits/9593
        2009882 || ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,code.google.com/p/mysqloit/
        2009883 || ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected || url,code.google.com/p/mysqloit/
        2009884 || ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan || url,support.microsoft.com/kb/247249 || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
        2009885 || ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack || url,en.wikipedia.org/wiki/HTTP_404 || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
        2009886 || ET CURRENT_EVENTS Remote SMB2.0 DoS Exploit || url,securityreason.com/exploitalert/7138
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (42):
        2009868 || ET WEB_ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt || url,securitytracker.com/alerts/2009/Aug/1022752.html
        2009869 || ET WEB_ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt || url,www.securityfocus.com/bid/36217/info
        2009870 || ET WEB_SPECIFIC XRMS CRM workflow-activities.php include_directory Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/43992 || url,milw0rm.com/exploits/6131 || cve,CVE-2008-3399
        2009871 || ET WEB_SPECIFIC PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009872 || ET WEB_SPECIFIC PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009873 || ET WEB_SPECIFIC PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/5266 || bugtraq,28284 || url,vupen.com/english/advisories/2008/0908
        2009874 || ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion || url,milw0rm.com/exploits/8790 || bugtraq,35103
        2009875 || ET WEB_SPECIFIC cpCommerce _functions.php GLOBALS Parameter Local File Inclusion || url,milw0rm.com/exploits/8790 || bugtraq,35103
        2009876 || ET WEB_SPECIFIC Dokuwiki doku.php config_cascade Local File Inclusion || url,milw0rm.com/exploits/8781 || bugtraq,35095
        2009877 || ET WEB_SPECIFIC VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion || url,milw0rm.com/exploits/6975 || bugtraq,32098
        2009878 || ET WEB_SPECIFIC Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection || url,milw0rm.com/exploits/6874 || bugtraq,31986 || url,secunia.com/advisories/32467
        2009880 || ET MALWARE Casalemedia Spyware Reporting URL Visited 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com
        2009881 || ET WEB_SPECIFIC Possible Joomla Com_joomlub Component Union Select SQL Injection || url,www.milw0rm.com/exploits/9593
        2009882 || ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,code.google.com/p/mysqloit/
        2009883 || ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected || url,code.google.com/p/mysqloit/
        2009884 || ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan || url,support.microsoft.com/kb/247249 || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
        2009885 || ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack || url,en.wikipedia.org/wiki/HTTP_404 || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
        2009886 || ET CURRENT_EVENTS Remote SMB2.0 DoS Exploit || url,securityreason.com/exploitalert/7138
        2500318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging.rules (1):
        #by Christopher Campesi

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-malware.rules (1):
        #By Matt Jonkman from Spyware listening post data

     -> Removed from emerging-sid-msg.map (5):
        2002195 || ET MALWARE Casalemedia Spyware Reporting URL Visited1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2002195
        2002196 || ET MALWARE Casalemedia Spyware Reporting URL Visited2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2002196
        2003366 || ET MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2003366
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response

     -> Removed from emerging-sid-msg.map.txt (5):
        2002195 || ET MALWARE Casalemedia Spyware Reporting URL Visited1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2002195
        2002196 || ET MALWARE Casalemedia Spyware Reporting URL Visited2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2002196
        2003366 || ET MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com || url,doc.emergingthreats.net/bin/view/Main/2003366
        2009865 || ET TROJAN Unknown CnC Channel Keep Alive
        2009866 || ET TROJAN Unknown CnC Channel Keep Alive Server Response

     -> Removed from emerging-virus.rules (1):
        #matt jonkman, re aab13cae762c86e21beb82c7c75fb1cf


From frank at knobbe.us  Tue Sep  8 16:03:57 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 08 Sep 2009 15:03:57 -0500
Subject: [Emerging-Sigs] 4 SQL Injection Sigs,
 Can Someone Check My PCRE Though
In-Reply-To: <e75cc74a0908190235j7435e685q1d22ece1fd9bd50c@mail.gmail.com>
References: <e75cc74a0908190235j7435e685q1d22ece1fd9bd50c@mail.gmail.com>
Message-ID: <1252440237.55402.115.camel@localhost>

On Wed, 2009-08-19 at 10:35 +0100, Kevin Ross wrote:
> Hey. I have written these 4 sigs to catch SQL Injections in Cookies.
> Can someone please read over it. I also decided to stick a PCRE check
> also once the content matches were done for accuracy. 

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB -
> Possible SELECT FROM SQL Injection In Cookie";
> flow:to_server,established; content:"Cookie|3A|"; nocase;
> content:"SELECT"; nocase; content:"FROM"; nocase;
> pcre:"/SELECT.+FROM/i"; classtype:web-application-attack;

These are falsing on simple things like:

Cookie: SelectedEdition=www; s_sess=[blah]http%
2525253A//screeningroom.blogs.cnn.com/2009/09/08/postcard-from-venice-clooney-loony-strik
es/[blah] 

Would it be possible to change the "SELECT" to "SELECT " or "SELECT%20"?
I don't think a space is valid in there, so I assume the cookie would
contain "SELECT%20". Do you have an actual attack you can compare this
to?

Thanks,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/c40add08/attachment.bin

From jonkman at jonkmans.com  Tue Sep  8 17:05:48 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 17:05:48 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6A7C3.5060206@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com><4AA68A81.40302@packetmail.net>	<4AA698A1.1050104@jonkmans.com>
	<4AA6A04F.8060607@packetmail.net>	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
Message-ID: <4AA6C72C.8010809@jonkmans.com>

OK, n Bojan and Frank's suggestion we have:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS
Remote SMB2.0 DoS Exploit"; flow:to_server,established;
content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00
00|"; within 2; classtype:attempted-dos;
reference:url,securityreason.com/exploitalert/7138;
reference:url,doc.emergingthreats.net/2009886;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS;
sid:2009886; rev:4;)

Looking for not |00 00| after the first match. Posted, good by all?

Please report falses.

Matt

Matt Jonkman wrote:
> Committed, again all please test. Thanks Jax and Christopher!
> 
> Matt
> 
> Campesi, Christopher wrote:
>>  I looked at the results of the sig and it hit way more than I expected,
>> sorry about that. I took what Jax replied with and used that as the only
>> content match, that resulted in no FPs so far, like he said.
>>
>>  
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
>> SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00
>> 00 00 18 53 c8 00
>> 26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
>>
>>  
>>
>> -Chris
>>
>> *From:* emerging-sigs-bounces at emergingthreats.net
>> [mailto:emerging-sigs-bounces at emergingthreats.net] *On Behalf Of
>> *evilghost at packetmail.net
>> *Sent:* Tuesday, September 08, 2009 2:20 PM
>> *To:* Matt Jonkman
>> *Cc:* Emerging Threats Signatures
>> *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>
>>  
>>
>> var HOME_NET [10.0.0.0/8]
>> var EXTERNAL_NET any
>>
>> RFC1918 -> RFC1918
>>
>> One of many examples, some including
>>
>> 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>> [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)
>>
>>         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08  E....D at .........
>>         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1  .`...m..."..l.8.
>>         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42  P..y.w.......SMB
>>         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3  %.........k.y;w.
>>         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034  .s...x.....L...4
>>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>>         0x0060:  0054 0034 0054 0002 0026 000e c045 0000  .T.4.T...&...E..
>>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>>         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000  ........4.......
>>         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc  ............u.<.
>>         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff  C..H.S.V.$B.....
>>         0x00b0:  007d 0000                                .}..
>>
>> 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>> [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)
>>
>>         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08  E....G at .........
>>         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28  .`...m..."..l.:(
>>         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42  P....P.......SMB
>>         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16  %.........0.....
>>         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c  .....x....DM...,
>>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>>         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000  .T.,.T...&...=..
>>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>>         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000  ........,.......
>>         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc  ............u.<.
>>         0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.
>>
>> 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>> [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)
>>
>>         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08  E....;@.........
>>         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8  .`...m...".6l.5.
>>         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42  P............SMB
>>         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920  %..........R:x..
>>         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058  F....x.....J...X
>>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
>>         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000  .T.X.T...&...i..
>>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
>>         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000  ........X.......
>>         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000  @.....,..(......
>>         (*SNIPPED*)
>>
>>
>>
>>
>>
>> Matt Jonkman wrote:
>>
>> Internal to internal? Or external inbound?
>>
>>  
>>
>> Matt
>>
>>  
>>
>> evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
>>
>>   
>>
>>     Falsing heavily here, as in, mapping the network.  I can provide 
>>
>>     specifics if necessary.
>>
>>      
>>
>>     Matt Jonkman wrote:
>>
>>         
>>
>>         Thanks Christopher, posted for testing. Please give feedback. This is an
>>
>>         ugly problem...
>>
>>          
>>
>>         Matt
>>
>>          
>>
>>         Campesi, Christopher wrote:
>>
>>           
>>
>>               
>>
>>             alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
>>
>>             Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>
>>             26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
>>
>>              
>>
>>              
>>
>>              
>>
>>             http://securityreason.com/exploitalert/7138
>>
>>              
>>
>>              
>>
>>              
>>
>>              
>>
>>              
>>
>>             -Chris
>>
>>              
>>
>>              
>>
>>             ------------------------------------------------------------------------
>>
>>              
>>
>>             _______________________________________________
>>
>>             Emerging-sigs mailing list
>>
>>             Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>>
>>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>                 
>>
>>                     
>>
>>           
>>
>>               
>>
>>     _______________________________________________
>>
>>     Emerging-sigs mailing list
>>
>>     Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>>
>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>         
>>
>>  
>>
>>   
>>
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From phatbuckett at gmail.com  Tue Sep  8 17:06:58 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Tue, 8 Sep 2009 14:06:58 -0700
Subject: [Emerging-Sigs] Urlzone/Bebloh sig
In-Reply-To: <839aec700905140612qc6f65f7v790477d6d6ae4b86@mail.gmail.com>
References: <839aec700905140612qc6f65f7v790477d6d6ae4b86@mail.gmail.com>
Message-ID: <839aec700909081406g16464fc7s1d349126d8a02cd2@mail.gmail.com>

Caught a report of a urlzone/bebloh URL as follows:

kissfromde.cn/503/fet.5?type=slg&id=ZDYEW6P6ZJB8M3B493

Existing sig 1:2009351:2 looking for
uricontent:"get.php?type=slg&id=", and clearly the "get.php" and
"IT0\d" URI strings were common but not universal.

Former URL contributing to this signature:

rnstatistics.org/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO

So maybe a mod to:

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Urlzone/Bebloh Communication with Controller";
flow:established,to_server; content:"
GET "; depth:4; uricontent:"?type=slg&id="; nocase;
pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; classtype:trojan-activity;
reference:url,threatinfo.trendmicro.com
/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
reference:url,doc.emergingthreats.net/2009351;
reference:url,www.emergingthreats.net/
cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2009351; rev:3;)

???

-- 
Darren Spruell
phatbuckett at gmail.com



On Thu, May 14, 2009 at 6:12 AM, Darren Spruell<phatbuckett at gmail.com> wrote:
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Urlzone/Bebloh Communication with Controller";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"get.php?type=slg&id="; nocase; classtype:trojan-activity;
> reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
> sid:XXXXXXX; rev:1;)
>
> Urlzone/Bebloh is another banker/infostealer typically targeting German banks.
>
> Typical C&C communication looks like requests to:
>
> somedomain.tld/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO
>
> Every report I've seen makes it look like /get.php is so far very
> static as well as the value of the 'type' parameter during C&C
> communication. Also appears that /IT0%d/ varies a bit but for now
> always uses /IT0\d/ so maybe it can be tightened a bit more if needed
> with a URI pcre.
>
> Would be interested to know if this is successful for anyone.
>
> --
> Darren Spruell
> phatbuckett at gmail.com
>



-- 
Darren Spruell
phatbuckett at gmail.com

From jonkman at jonkmans.com  Tue Sep  8 17:06:40 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 08 Sep 2009 17:06:40 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68604.7090009@jonkmans.com>
	<4AA68A81.40302@packetmail.net>	<4AA698A1.1050104@jonkmans.com>
	<4AA6A04F.8060607@packetmail.net>	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
Message-ID: <4AA6C760.2060200@jonkmans.com>

:)

The license would prevent us from doing so. Or even seeing them at this
point.

If you'd like to post it here so we can compare that'd be appreciated.

Matt

Joel Esler wrote:
> FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
> 
> J
> 
> On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     Committed, again all please test. Thanks Jax and Christopher!
> 
>     Matt
> 
>     Campesi, Christopher wrote:
>     >  I looked at the results of the sig and it hit way more than I
>     expected,
>     > sorry about that. I took what Jax replied with and used that as
>     the only
>     > content match, that resulted in no FPs so far, like he said.
>     >
>     >
>     >
>     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
>     > SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72
>     00 00
>     > 00 00 18 53 c8 00
>     >
>     26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>     >
>     >
>     >
>     > -Chris
>     >
>     > *From:* emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>
>     > [mailto:emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
>     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>     > *To:* Matt Jonkman
>     > *Cc:* Emerging Threats Signatures
>     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>     >
>     >
>     >
>     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>     > var EXTERNAL_NET any
>     >
>     > RFC1918 -> RFC1918
>     >
>     > One of many examples, some including
>     >
>     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)
>     >
>     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>      E....D at .........
>     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>      .`...m..."..l.8.
>     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>      P..y.w.......SMB
>     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>      %.........k.y;w.
>     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>      .s...x.....L...4
>     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>      ................
>     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>      .T.4.T...&...E..
>     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>      \.P.I.P.E.\.....
>     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>      ........4.......
>     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>      ............u.<.
>     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>      C..H.S.V.$B.....
>     >         0x00b0:  007d 0000                                .}..
>     >
>     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)
>     >
>     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>      E....G at .........
>     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>      .`...m..."..l.:(
>     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>      P....P.......SMB
>     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>      %.........0.....
>     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>      .....x....DM...,
>     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>      ................
>     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>      .T.,.T...&...=..
>     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>      \.P.I.P.E.\.....
>     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>      ........,.......
>     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>      ............u.<.
>     >         0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.
>     >
>     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
>     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)
>     >
>     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>      E....;@.........
>     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>      .`...m...".6l.5.
>     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>      P............SMB
>     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>      %..........R:x..
>     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>      F....x.....J...X
>     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>      ................
>     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>      .T.X.T...&...i..
>     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>      \.P.I.P.E.\.....
>     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>      ........X.......
>     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>      @.....,..(......
>     >         (*SNIPPED*)
>     >
>     >
>     >
>     >
>     >
>     > Matt Jonkman wrote:
>     >
>     > Internal to internal? Or external inbound?
>     >
>     >
>     >
>     > Matt
>     >
>     >
>     >
>     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
>     wrote:
>     >
>     >
>     >
>     >     Falsing heavily here, as in, mapping the network.  I can provide
>     >
>     >     specifics if necessary.
>     >
>     >
>     >
>     >     Matt Jonkman wrote:
>     >
>     >
>     >
>     >         Thanks Christopher, posted for testing. Please give
>     feedback. This is an
>     >
>     >         ugly problem...
>     >
>     >
>     >
>     >         Matt
>     >
>     >
>     >
>     >         Campesi, Christopher wrote:
>     >
>     >
>     >
>     >
>     >
>     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>     (msg:"Remote SMB2.0 DoS
>     >
>     >            
>     Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>     >
>     >            
>     26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >             http://securityreason.com/exploitalert/7138
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >             -Chris
>     >
>     >
>     >
>     >
>     >
>     >            
>     ------------------------------------------------------------------------
>     >
>     >
>     >
>     >             _______________________________________________
>     >
>     >             Emerging-sigs mailing list
>     >
>     >             Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >
>     >            
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >     _______________________________________________
>     >
>     >     Emerging-sigs mailing list
>     >
>     >     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >
>     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
>     >
>     >
>     >
>     >
>     >
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Open Information Security Foundation (OISF)
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     http://www.openinformationsecurityfoundation.org
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Tue Sep  8 17:58:59 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 17:58:59 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6C760.2060200@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
Message-ID: <314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>

No, the license would prevent me from posting them.  Not from you seeing
them.  I am sure plenty of people on this list have a VRT subscription.
No FUD spreading.

J

On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> :)
>
> The license would prevent us from doing so. Or even seeing them at this
> point.
>
> If you'd like to post it here so we can compare that'd be appreciated.
>
> Matt
>
> Joel Esler wrote:
> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
> >
> > J
> >
> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
> > <mailto:jonkman at jonkmans.com>> wrote:
> >
> >     Committed, again all please test. Thanks Jax and Christopher!
> >
> >     Matt
> >
> >     Campesi, Christopher wrote:
> >     >  I looked at the results of the sig and it hit way more than I
> >     expected,
> >     > sorry about that. I took what Jax replied with and used that as
> >     the only
> >     > content match, that resulted in no FPs so far, like he said.
> >     >
> >     >
> >     >
> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> (msg:"Windows7/Vista/2k8
> >     > SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72
> >     00 00
> >     > 00 00 18 53 c8 00
> >     >
> >     26|";offset:4;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
> >     >
> >     >
> >     >
> >     > -Chris
> >     >
> >     > *From:* emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
> >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
> >     > *To:* Matt Jonkman
> >     > *Cc:* Emerging Threats Signatures
> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> >     >
> >     >
> >     >
> >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
> >     > var EXTERNAL_NET any
> >     >
> >     > RFC1918 -> RFC1918
> >     >
> >     > One of many examples, some including
> >     >
> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
> Flags
> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
> >      E....D at .........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
> >      .`...m..."..l.8.
> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
> >      P..y.w.......SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
> >      %.........k.y;w.
> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
> >      .s...x.....L...4
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
> >      .T.4.T...&...E..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
> >      ........4.......
> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
> >      ............u.<.
> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
> >      C..H.S.V.$B.....
> >     >         0x00b0:  007d 0000                                .}..
> >     >
> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
> Flags
> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
> >      E....G at .........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
> >      .`...m..."..l.:(
> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
> >      P....P.......SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
> >      %.........0.....
> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
> >      .....x....DM...,
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
> >      .T.,.T...&...=..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
> >      ........,.......
> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
> >      ............u.<.
> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>  C..H.S.V.$B.
> >     >
> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
> Flags
> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
> >      E....;@.........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
> >      .`...m...".6l.5.
> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
> >      P............SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
> >      %..........R:x..
> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
> >      F....x.....J...X
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
> >      .T.X.T...&...i..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
> >      ........X.......
> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
> >      @.....,..(......
> >     >         (*SNIPPED*)
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > Matt Jonkman wrote:
> >     >
> >     > Internal to internal? Or external inbound?
> >     >
> >     >
> >     >
> >     > Matt
> >     >
> >     >
> >     >
> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
> >     wrote:
> >     >
> >     >
> >     >
> >     >     Falsing heavily here, as in, mapping the network.  I can
> provide
> >     >
> >     >     specifics if necessary.
> >     >
> >     >
> >     >
> >     >     Matt Jonkman wrote:
> >     >
> >     >
> >     >
> >     >         Thanks Christopher, posted for testing. Please give
> >     feedback. This is an
> >     >
> >     >         ugly problem...
> >     >
> >     >
> >     >
> >     >         Matt
> >     >
> >     >
> >     >
> >     >         Campesi, Christopher wrote:
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> >     (msg:"Remote SMB2.0 DoS
> >     >
> >     >
> >
> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> >     >
> >     >
> >     26|";distance:7;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             http://securityreason.com/exploitalert/7138
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             -Chris
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     >
> >     >
> >     >             _______________________________________________
> >     >
> >     >             Emerging-sigs mailing list
> >     >
> >     >             Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> >     >
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >     _______________________________________________
> >     >
> >     >     Emerging-sigs mailing list
> >     >
> >     >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> >     >
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> >     --
> >     --------------------------------------------
> >     Matthew Jonkman
> >     Emerging Threats
> >     Open Information Security Foundation (OISF)
> >     Phone 765-429-0398
> >     Fax 312-264-0205
> >     http://www.emergingthreats.net
> >     http://www.openinformationsecurityfoundation.org
> >     --------------------------------------------
> >
> >     PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/6255ef75/attachment-0001.html

From bschnzl at cotse.net  Tue Sep  8 18:22:16 2009
From: bschnzl at cotse.net (Bill Scherr IV)
Date: Tue, 08 Sep 2009 18:22:16 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6C72C.8010809@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>,
	<4AA6A7C3.5060206@jonkmans.com>, <4AA6C72C.8010809@jonkmans.com>
Message-ID: <MTAwMDAxOS5ic2Nobnps.1252448539@quikprotect>

Folks...

   From http://securityreason.com/exploitalert/7138
""\x00\x26"# Process ID High: --> :) normal operation should be "\x00\x00""

   Should we do:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS
Remote SMB2.0 DoS Exploit"; flow:to_server,established;
content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00
26|"; within 2; classtype:attempted-dos;
reference:url,securityreason.com/exploitalert/7138;
reference:url,doc.emergingthreats.net/2009886;
reference:url,www.emergingthreats.net/cgi-
bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS;
sid:2009886; rev:4;)

just a question!

B.

Circa 17:05, 8 Sep 2009, a note, claiming source Matt Jonkman <jonkman at jonkmans.com>, was sent 
to me:

Date sent:      	Tue, 08 Sep 2009 17:05:48 -0400
From:           	Matt Jonkman <jonkman at jonkmans.com>
To:             	"Campesi, Christopher" <campesic at centenarycollege.edu>
Copies to:      	Emerging Threats Signatures <emerging-sigs at emergingthreats.net>
Subject:        	Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit

> OK, n Bojan and Frank's suggestion we have:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS
> Remote SMB2.0 DoS Exploit"; flow:to_server,established;
> content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00
> 00|"; within 2; classtype:attempted-dos;
> reference:url,securityreason.com/exploitalert/7138;
> reference:url,doc.emergingthreats.net/2009886;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS;
> sid:2009886; rev:4;)
> 
> Looking for not |00 00| after the first match. Posted, good by all?
> 
> Please report falses.
> 
> Matt
> 
> Matt Jonkman wrote:
> > Committed, again all please test. Thanks Jax and Christopher!
> > 
> > Matt
> > 
> > Campesi, Christopher wrote:
> >>  I looked at the results of the sig and it hit way more than I expected,
> >> sorry about that. I took what Jax replied with and used that as the only
> >> content match, that resulted in no FPs so far, like he said.
> >>
> >>  
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/Vista/2k8
> >> SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72 00 00
> >> 00 00 18 53 c8 00
> >> 26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> >>
> >>  
> >>
> >> -Chris
> >>
> >> *From:* emerging-sigs-bounces at emergingthreats.net
> >> [mailto:emerging-sigs-bounces at emergingthreats.net] *On Behalf Of
> >> *evilghost at packetmail.net
> >> *Sent:* Tuesday, September 08, 2009 2:20 PM
> >> *To:* Matt Jonkman
> >> *Cc:* Emerging Threats Signatures
> >> *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> >>
> >>  
> >>
> >> var HOME_NET [10.0.0.0/8]
> >> var EXTERNAL_NET any
> >>
> >> RFC1918 -> RFC1918
> >>
> >> One of many examples, some including
> >>
> >> 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> >> [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans (REQUEST)
> >>
> >>         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08  E....D at .........
> >>         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1  .`...m..."..l.8.
> >>         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42  P..y.w.......SMB
> >>         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3  %.........k.y;w.
> >>         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034  .s...x.....L...4
> >>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
> >>         0x0060:  0054 0034 0054 0002 0026 000e c045 0000  .T.4.T...&...E..
> >>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
> >>         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000  ........4.......
> >>         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc  ............u.<.
> >>         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff  C..H.S.V.$B.....
> >>         0x00b0:  007d 0000                                .}..
> >>
> >> 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> >> [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans (REQUEST)
> >>
> >>         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08  E....G at .........
> >>         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28  .`...m..."..l.:(
> >>         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42  P....P.......SMB
> >>         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16  %.........0.....
> >>         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c  .....x....DM...,
> >>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
> >>         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000  .T.,.T...&...=..
> >>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
> >>         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000  ........,.......
> >>         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc  ............u.<.
> >>         0x00a0:  43cd 9348 af53 9c56 e124 4201            C..H.S.V.$B.
> >>
> >> 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds: Flags
> >> [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans (REQUEST)
> >>
> >>         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08  E....;@.........
> >>         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8  .`...m...".6l.5.
> >>         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42  P............SMB
> >>         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920  %..........R:x..
> >>         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058  F....x.....J...X
> >>         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000  ................
> >>         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000  .T.X.T...&...i..
> >>         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000  \.P.I.P.E.\.....
> >>         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000  ........X.......
> >>         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000  @.....,..(......
> >>         (*SNIPPED*)
> >>
> >>
> >>
> >>
> >>
> >> Matt Jonkman wrote:
> >>
> >> Internal to internal? Or external inbound?
> >>
> >>  
> >>
> >> Matt
> >>
> >>  
> >>
> >> evilghost at packetmail.net <mailto:evilghost at packetmail.net> wrote:
> >>
> >>   
> >>
> >>     Falsing heavily here, as in, mapping the network.  I can provide 
> >>
> >>     specifics if necessary.
> >>
> >>      
> >>
> >>     Matt Jonkman wrote:
> >>
> >>         
> >>
> >>         Thanks Christopher, posted for testing. Please give feedback. This is an
> >>
> >>         ugly problem...
> >>
> >>          
> >>
> >>         Matt
> >>
> >>          
> >>
> >>         Campesi, Christopher wrote:
> >>
> >>           
> >>
> >>               
> >>
> >>             alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Remote SMB2.0 DoS
> >>
> >>             Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> >>
> >>             26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1;)
> >>
> >>              
> >>
> >>              
> >>
> >>              
> >>
> >>             http://securityreason.com/exploitalert/7138
> >>
> >>              
> >>
> >>              
> >>
> >>              
> >>
> >>              
> >>
> >>              
> >>
> >>             -Chris
> >>
> >>              
> >>
> >>              
> >>
> >>             ------------------------------------------------------------------------
> >>
> >>              
> >>
> >>             _______________________________________________
> >>
> >>             Emerging-sigs mailing list
> >>
> >>             Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
> >>
> >>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>                 
> >>
> >>                     
> >>
> >>           
> >>
> >>               
> >>
> >>     _______________________________________________
> >>
> >>     Emerging-sigs mailing list
> >>
> >>     Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
> >>
> >>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>         
> >>
> >>  
> >>
> >>   
> >>
> > 
> 
> -- 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


STOP SPAM  -  use whitelists

pub   1024D/6382216F 2008-06-20 [expires: 2013-06-19]
Key fingerprint = 5F6A F5AD 1FE0 73CA 2393  A62E 2469 0F95 6382 216F
uid    Bill Scherr IV (Ownership is Vital) <bschnzl at cotse.net>




From guise.mcallaster at gmail.com  Tue Sep  8 18:25:14 2009
From: guise.mcallaster at gmail.com (Guise McAllaster)
Date: Tue, 8 Sep 2009 22:25:14 +0000
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
Message-ID: <ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>

I thought the VRT rules are compiled so you can't see them in the clear
unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
can some one post it here?  Matt has a good point about comparing it -- the
more info we have the better.  Sharing and empowerment is what gives the
open source community the strength.  Unless, of course, you aren't open
source and then it is all about competitive advantage and money, greed, etc.

Guise (a.k.a. G)

On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:

> No, the license would prevent me from posting them.  Not from you seeing
> them.  I am sure plenty of people on this list have a VRT subscription.
> No FUD spreading.
>
> J
>
>
> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>
>> :)
>>
>> The license would prevent us from doing so. Or even seeing them at this
>> point.
>>
>> If you'd like to post it here so we can compare that'd be appreciated.
>>
>> Matt
>>
>> Joel Esler wrote:
>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>> >
>> > J
>> >
>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>> > <mailto:jonkman at jonkmans.com>> wrote:
>> >
>> >     Committed, again all please test. Thanks Jax and Christopher!
>> >
>> >     Matt
>> >
>> >     Campesi, Christopher wrote:
>> >     >  I looked at the results of the sig and it hit way more than I
>> >     expected,
>> >     > sorry about that. I took what Jax replied with and used that as
>> >     the only
>> >     > content match, that resulted in no FPs so far, like he said.
>> >     >
>> >     >
>> >     >
>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>> (msg:"Windows7/Vista/2k8
>> >     > SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff|SMB|72
>> >     00 00
>> >     > 00 00 18 53 c8 00
>> >     >
>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>> >     >
>> >     >
>> >     >
>> >     > -Chris
>> >     >
>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
>> >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>> >     > *To:* Matt Jonkman
>> >     > *Cc:* Emerging Threats Signatures
>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>> >     >
>> >     >
>> >     >
>> >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>> >     > var EXTERNAL_NET any
>> >     >
>> >     > RFC1918 -> RFC1918
>> >     >
>> >     > One of many examples, some including
>> >     >
>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>> Flags
>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>> (REQUEST)
>> >     >
>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>> >      E....D at .........
>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>> >      .`...m..."..l.8.
>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>> >      P..y.w.......SMB
>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>> >      %.........k.y;w.
>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>> >      .s...x.....L...4
>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>> >      ................
>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>> >      .T.4.T...&...E..
>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>> >      \.P.I.P.E.\.....
>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>> >      ........4.......
>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>> >      ............u.<.
>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>> >      C..H.S.V.$B.....
>> >     >         0x00b0:  007d 0000                                .}..
>> >     >
>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>> Flags
>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>> (REQUEST)
>> >     >
>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>> >      E....G at .........
>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>> >      .`...m..."..l.:(
>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>> >      P....P.......SMB
>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>> >      %.........0.....
>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>> >      .....x....DM...,
>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>> >      ................
>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>> >      .T.,.T...&...=..
>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>> >      \.P.I.P.E.\.....
>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>> >      ........,.......
>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>> >      ............u.<.
>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>  C..H.S.V.$B.
>> >     >
>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>> Flags
>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>> (REQUEST)
>> >     >
>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>> >      E....;@.........
>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>> >      .`...m...".6l.5.
>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>> >      P............SMB
>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>> >      %..........R:x..
>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>> >      F....x.....J...X
>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>> >      ................
>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>> >      .T.X.T...&...i..
>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>> >      \.P.I.P.E.\.....
>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>> >      ........X.......
>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>> >      @.....,..(......
>> >     >         (*SNIPPED*)
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     > Matt Jonkman wrote:
>> >     >
>> >     > Internal to internal? Or external inbound?
>> >     >
>> >     >
>> >     >
>> >     > Matt
>> >     >
>> >     >
>> >     >
>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
>> >     wrote:
>> >     >
>> >     >
>> >     >
>> >     >     Falsing heavily here, as in, mapping the network.  I can
>> provide
>> >     >
>> >     >     specifics if necessary.
>> >     >
>> >     >
>> >     >
>> >     >     Matt Jonkman wrote:
>> >     >
>> >     >
>> >     >
>> >     >         Thanks Christopher, posted for testing. Please give
>> >     feedback. This is an
>> >     >
>> >     >         ugly problem...
>> >     >
>> >     >
>> >     >
>> >     >         Matt
>> >     >
>> >     >
>> >     >
>> >     >         Campesi, Christopher wrote:
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>> >     (msg:"Remote SMB2.0 DoS
>> >     >
>> >     >
>> >
>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>> >     >
>> >     >
>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >             http://securityreason.com/exploitalert/7138
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >             -Chris
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >
>> ------------------------------------------------------------------------
>> >     >
>> >     >
>> >     >
>> >     >             _______________________________________________
>> >     >
>> >     >             Emerging-sigs mailing list
>> >     >
>> >     >             Emerging-sigs at emergingthreats.net
>> >     <mailto:Emerging-sigs at emergingthreats.net>
>> >     <mailto:Emerging-sigs at emergingthreats.net
>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>> >     >
>> >     >
>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >     _______________________________________________
>> >     >
>> >     >     Emerging-sigs mailing list
>> >     >
>> >     >     Emerging-sigs at emergingthreats.net
>> >     <mailto:Emerging-sigs at emergingthreats.net>
>> >     <mailto:Emerging-sigs at emergingthreats.net
>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>> >     >
>> >     >
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >
>> >     --
>> >     --------------------------------------------
>> >     Matthew Jonkman
>> >     Emerging Threats
>> >     Open Information Security Foundation (OISF)
>> >     Phone 765-429-0398
>> >     Fax 312-264-0205
>> >     http://www.emergingthreats.net
>> >     http://www.openinformationsecurityfoundation.org
>> >     --------------------------------------------
>> >
>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>> >
>> >
>> >     _______________________________________________
>> >     Emerging-sigs mailing list
>> >     Emerging-sigs at emergingthreats.net
>> >     <mailto:Emerging-sigs at emergingthreats.net>
>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/d024816d/attachment-0001.html

From frank at knobbe.us  Tue Sep  8 18:28:11 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 08 Sep 2009 17:28:11 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <MTAwMDAxOS5ic2Nobnps.1252448539@quikprotect>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	, <4AA6A7C3.5060206@jonkmans.com>, <4AA6C72C.8010809@jonkmans.com>
	<MTAwMDAxOS5ic2Nobnps.1252448539@quikprotect>
Message-ID: <1252448891.55402.134.camel@localhost>

On Tue, 2009-09-08 at 18:22 -0400, Bill Scherr IV wrote:
>  normal operation should be "\x00\x00""
[...]
>   Should we do:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS
> Remote SMB2.0 DoS Exploit"; flow:to_server,established;
> content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00
> 26|"; within 2; classtype:attempted-dos;


No, we should do content:!"|00 00|";  :)  I fell for that too at first.
It's already updated in the rules.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/fe087285/attachment.bin

From bschnzl at cotse.net  Tue Sep  8 18:54:27 2009
From: bschnzl at cotse.net (Bill Scherr IV)
Date: Tue, 08 Sep 2009 18:54:27 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <1252448891.55402.134.camel@localhost>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>,
	<MTAwMDAxOS5ic2Nobnps.1252448539@quikprotect>,
	<1252448891.55402.134.camel@localhost>
Message-ID: <MTAwMDA0NS5ic2Nobnps.1252450469@quikprotect>

Doh!

   Missed the "bang".  That's what I get for not switching to fixed pitch fonts...

B.

Circa 17:28, 8 Sep 2009, a note, claiming source Frank Knobbe <frank at knobbe.us>, was sent to me:

Subject:	Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
From:	Frank Knobbe <frank at knobbe.us>
To:	bschnzl at cotse.net
Copies to:	Emerging Threats Signatures <emerging-sigs at emergingthreats.net>
Date sent:	Tue, 08 Sep 2009 17:28:11 -0500

> On Tue, 2009-09-08 at 18:22 -0400, Bill Scherr IV wrote:
> >  normal operation should be "\x00\x00""
> [...]
> >   Should we do:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS
> > Remote SMB2.0 DoS Exploit"; flow:to_server,established;
> > content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00
> > 26|"; within 2; classtype:attempted-dos;
> 
> 
> No, we should do content:!"|00 00|";  :)  I fell for that too at first.
> It's already updated in the rules.
> 
> Cheers,
> Frank
> 
> 


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at iit-tek.com
bscherr at ewa.com
703-478-7608


From eslerj at gmail.com  Tue Sep  8 19:13:13 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 19:13:13 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68A81.40302@packetmail.net> <4AA698A1.1050104@jonkmans.com>
	<4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
Message-ID: <314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>

SOME of the rules are written that way because of contractual agreements
with Microsoft under the MAPP program.
http://www.microsoft.com/security/msrc/collaboration/mapp.aspx

However, the vast majority of the VRT rules are open for everyone to read.

You may discuss the rules and make improvements upon the rules on Snort's
lists, you may not, however, post or distribute the rule.

I suggest people A) Check out the License, because clearly there is
misunderstanding and FUD being spread, and B) Check out the rules to clear
up the FUD.  (They are closed, we can't download them, other misc lies.)

It's not about competition between "community" vs. "Sourcefire" as some
people have tried to make it out to be.  I wish that would stop.  I
discussed this at length in an earlier email.

That being said...  there are no negative content matches in the VRT rule.

J



On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <guise.mcallaster at gmail.com
> wrote:

> I thought the VRT rules are compiled so you can't see them in the clear
> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
> can some one post it here?  Matt has a good point about comparing it -- the
> more info we have the better.  Sharing and empowerment is what gives the
> open source community the strength.  Unless, of course, you aren't open
> source and then it is all about competitive advantage and money, greed, etc.
>
> Guise (a.k.a. G)
>
>
> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>
>> No, the license would prevent me from posting them.  Not from you seeing
>> them.  I am sure plenty of people on this list have a VRT subscription.
>> No FUD spreading.
>>
>> J
>>
>>
>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>
>>> :)
>>>
>>> The license would prevent us from doing so. Or even seeing them at this
>>> point.
>>>
>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>
>>> Matt
>>>
>>> Joel Esler wrote:
>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>> >
>>> > J
>>> >
>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>> > <mailto:jonkman at jonkmans.com>> wrote:
>>> >
>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>> >
>>> >     Matt
>>> >
>>> >     Campesi, Christopher wrote:
>>> >     >  I looked at the results of the sig and it hit way more than I
>>> >     expected,
>>> >     > sorry about that. I took what Jax replied with and used that as
>>> >     the only
>>> >     > content match, that resulted in no FPs so far, like he said.
>>> >     >
>>> >     >
>>> >     >
>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>> (msg:"Windows7/Vista/2k8
>>> >     > SMB2.0 DoS
>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>> >     00 00
>>> >     > 00 00 18 53 c8 00
>>> >     >
>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>> >;)
>>> >     >
>>> >     >
>>> >     >
>>> >     > -Chris
>>> >     >
>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
>>> >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>> >     > *To:* Matt Jonkman
>>> >     > *Cc:* Emerging Threats Signatures
>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>> >     >
>>> >     >
>>> >     >
>>> >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>> >     > var EXTERNAL_NET any
>>> >     >
>>> >     > RFC1918 -> RFC1918
>>> >     >
>>> >     > One of many examples, some including
>>> >     >
>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>> Flags
>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>> (REQUEST)
>>> >     >
>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>> >      E....D at .........
>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>> >      .`...m..."..l.8.
>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>> >      P..y.w.......SMB
>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>> >      %.........k.y;w.
>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>> >      .s...x.....L...4
>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>> >      ................
>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>> >      .T.4.T...&...E..
>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>> >      \.P.I.P.E.\.....
>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>> >      ........4.......
>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>> >      ............u.<.
>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>> >      C..H.S.V.$B.....
>>> >     >         0x00b0:  007d 0000                                .}..
>>> >     >
>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>> Flags
>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>> (REQUEST)
>>> >     >
>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>> >      E....G at .........
>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>> >      .`...m..."..l.:(
>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>> >      P....P.......SMB
>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>> >      %.........0.....
>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>> >      .....x....DM...,
>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>> >      ................
>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>> >      .T.,.T...&...=..
>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>> >      \.P.I.P.E.\.....
>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>> >      ........,.......
>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>> >      ............u.<.
>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>  C..H.S.V.$B.
>>> >     >
>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>> Flags
>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>> (REQUEST)
>>> >     >
>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>> >      E....;@.........
>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>> >      .`...m...".6l.5.
>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>> >      P............SMB
>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>> >      %..........R:x..
>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>> >      F....x.....J...X
>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>> >      ................
>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>> >      .T.X.T...&...i..
>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>> >      \.P.I.P.E.\.....
>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>> >      ........X.......
>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>> >      @.....,..(......
>>> >     >         (*SNIPPED*)
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     > Matt Jonkman wrote:
>>> >     >
>>> >     > Internal to internal? Or external inbound?
>>> >     >
>>> >     >
>>> >     >
>>> >     > Matt
>>> >     >
>>> >     >
>>> >     >
>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net
>>> >>
>>> >     wrote:
>>> >     >
>>> >     >
>>> >     >
>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>> provide
>>> >     >
>>> >     >     specifics if necessary.
>>> >     >
>>> >     >
>>> >     >
>>> >     >     Matt Jonkman wrote:
>>> >     >
>>> >     >
>>> >     >
>>> >     >         Thanks Christopher, posted for testing. Please give
>>> >     feedback. This is an
>>> >     >
>>> >     >         ugly problem...
>>> >     >
>>> >     >
>>> >     >
>>> >     >         Matt
>>> >     >
>>> >     >
>>> >     >
>>> >     >         Campesi, Christopher wrote:
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>> >     (msg:"Remote SMB2.0 DoS
>>> >     >
>>> >     >
>>> >
>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>> >     >
>>> >     >
>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>> >;)
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >             http://securityreason.com/exploitalert/7138
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >             -Chris
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >
>>> ------------------------------------------------------------------------
>>> >     >
>>> >     >
>>> >     >
>>> >     >             _______________________________________________
>>> >     >
>>> >     >             Emerging-sigs mailing list
>>> >     >
>>> >     >             Emerging-sigs at emergingthreats.net
>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>> >     >
>>> >     >
>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >     _______________________________________________
>>> >     >
>>> >     >     Emerging-sigs mailing list
>>> >     >
>>> >     >     Emerging-sigs at emergingthreats.net
>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>> >     >
>>> >     >
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >
>>> >     --
>>> >     --------------------------------------------
>>> >     Matthew Jonkman
>>> >     Emerging Threats
>>> >     Open Information Security Foundation (OISF)
>>> >     Phone 765-429-0398
>>> >     Fax 312-264-0205
>>> >     http://www.emergingthreats.net
>>> >     http://www.openinformationsecurityfoundation.org
>>> >     --------------------------------------------
>>> >
>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>> >
>>> >
>>> >     _______________________________________________
>>> >     Emerging-sigs mailing list
>>> >     Emerging-sigs at emergingthreats.net
>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------
>>> >
>>> > _______________________________________________
>>> > Emerging-sigs mailing list
>>> > Emerging-sigs at emergingthreats.net
>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/82721720/attachment-0001.html

From evilghost at packetmail.net  Tue Sep  8 19:44:26 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 18:44:26 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com>	<4AA6A04F.8060607@packetmail.net>	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	<4AA6C760.2060200@jonkmans.com>	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
Message-ID: <4AA6EC5A.7040705@packetmail.net>

Thanks Joel for clearing this up.  Where can I get a copy of this rule 
so that, as a community, improvements can be made?  Since these rules 
are centered around a subscription model is there a community-centric 
subscription where improvements can be made (as suggested)?  For 
example, should improvements be made to this rule, as a derivative from 
the VRT rule, would I be eligible for compensation or are the benefits 
of community efforts only one-sided and beneficial to SourceFire?  I'm 
guessing I can't get a copy of this rule unless I wait 30+ days or start 
throwing cash at SourceFire?

I'm certainly not trying to insult you on a personal level but tell me 
how I can download the VRT rule for analysis?  Ya'll (SourceFire) spin 
this "community" stuff but honestly my back is hurting from these 
"community" friendly companies standing on my shoulders while rifling 
through my pockets.

IMHO the "VRT has this" was spam, likely that wasn't the intent, but all 
it did was advertise VRT and create questions around licensing 
conditions.  Rather than pointing us to a snipe-hunt in a 
subscription-based licensed model I'd find more value in actual content :)

-evilghost


Joel Esler wrote:
> SOME of the rules are written that way because of contractual 
> agreements with Microsoft under the MAPP program. 
> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>
> However, the vast majority of the VRT rules are open for everyone to read.
>
> You may discuss the rules and make improvements upon the rules on 
> Snort's lists, you may not, however, post or distribute the rule.
>
> I suggest people A) Check out the License, because clearly there is 
> misunderstanding and FUD being spread, and B) Check out the rules to 
> clear up the FUD.  (They are closed, we can't download them, other 
> misc lies.)
>
> It's not about competition between "community" vs. "Sourcefire" as 
> some people have tried to make it out to be.  I wish that would stop. 
>  I discussed this at length in an earlier email.
>
> That being said...  there are no negative content matches in the VRT rule.
>
> J
>
>
>
> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster 
> <guise.mcallaster at gmail.com <mailto:guise.mcallaster at gmail.com>> wrote:
>
>     I thought the VRT rules are compiled so you can't see them in the
>     clear unless you reverse engineer it and reconstruct them.  Am I
>     wrong?  If so, can some one post it here?  Matt has a good point
>     about comparing it -- the more info we have the better.  Sharing
>     and empowerment is what gives the open source community the
>     strength.  Unless, of course, you aren't open source and then it
>     is all about competitive advantage and money, greed, etc.
>
>     Guise (a.k.a. G)
>
>
>     On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com
>     <mailto:eslerj at gmail.com>> wrote:
>
>         No, the license would prevent me from posting them.  Not from
>         you seeing them.  I am sure plenty of people on this list have
>         a VRT subscription.
>
>         No FUD spreading.
>
>         J
>
>
>         On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
>         <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>> wrote:
>
>             :)
>
>             The license would prevent us from doing so. Or even seeing
>             them at this
>             point.
>
>             If you'd like to post it here so we can compare that'd be
>             appreciated.
>
>             Matt
>
>             Joel Esler wrote:
>             > FWIW, VRT just put one out if you want to look at it.
>              It's Gid:1.
>             >
>             > J
>             >
>             > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
>             <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>
>             > <mailto:jonkman at jonkmans.com
>             <mailto:jonkman at jonkmans.com>>> wrote:
>             >
>             >     Committed, again all please test. Thanks Jax and
>             Christopher!
>             >
>             >     Matt
>             >
>             >     Campesi, Christopher wrote:
>             >     >  I looked at the results of the sig and it hit way
>             more than I
>             >     expected,
>             >     > sorry about that. I took what Jax replied with and
>             used that as
>             >     the only
>             >     > content match, that resulted in no FPs so far,
>             like he said.
>             >     >
>             >     >
>             >     >
>             >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>             (msg:"Windows7/Vista/2k8
>             >     > SMB2.0 DoS
>             Exploit";flow:to_server,established;content:"|ff|SMB|72
>             >     00 00
>             >     > 00 00 18 53 c8 00
>             >     >
>             >    
>             26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>             <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>             >    
>             <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>             >     >
>             >     >
>             >     >
>             >     > -Chris
>             >     >
>             >     > *From:* emerging-sigs-bounces at emergingthreats.net
>             <mailto:emerging-sigs-bounces at emergingthreats.net>
>             >     <mailto:emerging-sigs-bounces at emergingthreats.net
>             <mailto:emerging-sigs-bounces at emergingthreats.net>>
>             >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>             <mailto:emerging-sigs-bounces at emergingthreats.net>
>             >     <mailto:emerging-sigs-bounces at emergingthreats.net
>             <mailto:emerging-sigs-bounces at emergingthreats.net>>] *On
>             Behalf Of
>             >     > *evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>
>             <mailto:evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>>
>             >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>             >     > *To:* Matt Jonkman
>             >     > *Cc:* Emerging Threats Signatures
>             >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS
>             Exploit
>             >     >
>             >     >
>             >     >
>             >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>
>             <http://10.0.0.0/8>]
>             >     > var EXTERNAL_NET any
>             >     >
>             >     > RFC1918 -> RFC1918
>             >     >
>             >     > One of many examples, some including
>             >     >
>             >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>             10.96.aa.bb.microsoft-ds: Flags
>             >     > [P.], ack 361669, win 65145, length 140SMB PACKET:
>             SMBtrans (REQUEST)
>             >     >
>             >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4
>             0ad7 cc08
>             >      E....D at .........
>             >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f
>             6c12 38b1
>             >      .`...m..."..l.8.
>             >     >         0x0020:  5018 fe79 ea77 0000 0000 0088
>             ff53 4d42
>             >      P..y.w.......SMB
>             >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5
>             793b 77d3
>             >      %.........k.y;w.
>             >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c
>             1000 0034
>             >      .s...x.....L...4
>             >     >         0x0050:  0000 0000 0400 0000 0000 0000
>             0000 0000
>             >      ................
>             >     >         0x0060:  0054 0034 0054 0002 0026 000e
>             c045 0000
>             >      .T.4.T...&...E..
>             >     >         0x0070:  5c00 5000 4900 5000 4500 5c00
>             0000 0000
>             >      \.P.I.P.E.\.....
>             >     >         0x0080:  0500 0003 1000 0000 3400 0000
>             0f00 0000
>             >      ........4.......
>             >     >         0x0090:  1c00 0000 0000 0d00 0000 0000
>             7599 3ccc
>             >      ............u.<.
>             >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>             ffff ffff
>             >      C..H.S.V.$B.....
>             >     >         0x00b0:  007d 0000                        
>                    .}..
>             >     >
>             >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>             10.96.aa.bb.microsoft-ds: Flags
>             >     > [P.], ack 362044, win 64770, length 132SMB PACKET:
>             SMBtrans (REQUEST)
>             >     >
>             >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9
>             0ad7 cc08
>             >      E....G at .........
>             >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2
>             6c12 3a28
>             >      .`...m..."..l.:(
>             >     >         0x0020:  5018 fd02 0650 0000 0000 0080
>             ff53 4d42
>             >      P....P.......SMB
>             >     >         0x0030:  2500 0000 0018 07c8 0000 300c
>             85e5 0f16
>             >      %.........0.....
>             >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d
>             1000 002c
>             >      .....x....DM...,
>             >     >         0x0050:  0000 0000 0400 0000 0000 0000
>             0000 0000
>             >      ................
>             >     >         0x0060:  0054 002c 0054 0002 0026 0002
>             c03d 0000
>             >      .T.,.T...&...=..
>             >     >         0x0070:  5c00 5000 4900 5000 4500 5c00
>             0000 0000
>             >      \.P.I.P.E.\.....
>             >     >         0x0080:  0500 0003 1000 0000 2c00 0000
>             1000 0000
>             >      ........,.......
>             >     >         0x0090:  1400 0000 0000 0000 0000 0000
>             7599 3ccc
>             >      ............u.<.
>             >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201    
>                    C..H.S.V.$B.
>             >     >
>             >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>             10.96.aa.bb.microsoft-ds: Flags
>             >     > [P.], ack 360908, win 64520, length 176SMB PACKET:
>             SMBtrans (REQUEST)
>             >     >
>             >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589
>             0ad7 cc08
>             >      E....;@.........
>             >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36
>             6c12 35b8
>             >      .`...m...".6l.5.
>             >     >         0x0020:  5018 fc08 877f 0000 0000 00ac
>             ff53 4d42
>             >      P............SMB
>             >     >         0x0030:  2500 0000 0018 07c8 0000 9f52
>             3a78 b920
>             >      %..........R:x..
>             >     >         0x0040:  4608 0000 0178 f80c 02e0 834a
>             1000 0058
>             >      F....x.....J...X
>             >     >         0x0050:  0000 0000 0400 0000 0000 0000
>             0000 0000
>             >      ................
>             >     >         0x0060:  0054 0058 0054 0002 0026 0009
>             c069 0000
>             >      .T.X.T...&...i..
>             >     >         0x0070:  5c00 5000 4900 5000 4500 5c00
>             0000 0000
>             >      \.P.I.P.E.\.....
>             >     >         0x0080:  0500 0003 1000 0000 5800 0000
>             0700 0000
>             >      ........X.......
>             >     >         0x0090:  4000 0000 0000 2c00 b028 0d00
>             0a00 0000
>             >      @.....,..(......
>             >     >         (*SNIPPED*)
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     > Matt Jonkman wrote:
>             >     >
>             >     > Internal to internal? Or external inbound?
>             >     >
>             >     >
>             >     >
>             >     > Matt
>             >     >
>             >     >
>             >     >
>             >     > evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>
>             <mailto:evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>>
>             >     <mailto:evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>
>             <mailto:evilghost at packetmail.net
>             <mailto:evilghost at packetmail.net>>>
>             >     wrote:
>             >     >
>             >     >
>             >     >
>             >     >     Falsing heavily here, as in, mapping the
>             network.  I can provide
>             >     >
>             >     >     specifics if necessary.
>             >     >
>             >     >
>             >     >
>             >     >     Matt Jonkman wrote:
>             >     >
>             >     >
>             >     >
>             >     >         Thanks Christopher, posted for testing.
>             Please give
>             >     feedback. This is an
>             >     >
>             >     >         ugly problem...
>             >     >
>             >     >
>             >     >
>             >     >         Matt
>             >     >
>             >     >
>             >     >
>             >     >         Campesi, Christopher wrote:
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >             alert tcp $EXTERNAL_NET any ->
>             $HOME_NET 445
>             >     (msg:"Remote SMB2.0 DoS
>             >     >
>             >     >
>             >    
>             Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>             >     >
>             >     >
>             >    
>             26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>             <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>             >    
>             <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >            
>             http://securityreason.com/exploitalert/7138
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >             -Chris
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >    
>             ------------------------------------------------------------------------
>             >     >
>             >     >
>             >     >
>             >     >            
>             _______________________________________________
>             >     >
>             >     >             Emerging-sigs mailing list
>             >     >
>             >     >             Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>>>
>             >     >
>             >     >
>             >    
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >     _______________________________________________
>             >     >
>             >     >     Emerging-sigs mailing list
>             >     >
>             >     >     Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>>>
>             >     >
>             >     >    
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >     >
>             >
>             >     --
>             >     --------------------------------------------
>             >     Matthew Jonkman
>             >     Emerging Threats
>             >     Open Information Security Foundation (OISF)
>             >     Phone 765-429-0398
>             >     Fax 312-264-0205
>             >     http://www.emergingthreats.net
>             >     http://www.openinformationsecurityfoundation.org
>             >     --------------------------------------------
>             >
>             >     PGP: http://www.jonkmans.com/mattjonkman.asc
>             >
>             >
>             >     _______________________________________________
>             >     Emerging-sigs mailing list
>             >     Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >     <mailto:Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>>
>             >    
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>             >
>             >
>             >
>             >
>             ------------------------------------------------------------------------
>             >
>             > _______________________________________________
>             > Emerging-sigs mailing list
>             > Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             >
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>             --
>             --------------------------------------------
>             Matthew Jonkman
>             Emerging Threats
>             Open Information Security Foundation (OISF)
>             Phone 765-429-0398
>             Fax 312-264-0205
>             http://www.emergingthreats.net
>             http://www.openinformationsecurityfoundation.org
>             --------------------------------------------
>
>             PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
>         _______________________________________________
>         Emerging-sigs mailing list
>         Emerging-sigs at emergingthreats.net
>         <mailto:Emerging-sigs at emergingthreats.net>
>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/98955664/attachment-0001.html

From kevross33 at googlemail.com  Tue Sep  8 19:44:50 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Wed, 9 Sep 2009 00:44:50 +0100
Subject: [Emerging-Sigs] 4 SQL Injection Sigs,
	Can Someone Check My PCRE 	Though
In-Reply-To: <1252440237.55402.115.camel@localhost>
References: <e75cc74a0908190235j7435e685q1d22ece1fd9bd50c@mail.gmail.com>
	<1252440237.55402.115.camel@localhost>
Message-ID: <e75cc74a0909081644q19f2d514x50874d7303352b2e@mail.gmail.com>

Hmmm perhaps a space can go in, I thought %20 was a space in the URI though?
How often does it false positive? What are other's experiences? I haven't
had an FPs with this sig personally at home and at work with 20,000 users
but we don't have any publicly accessible web servers.

Kev

2009/9/8 Frank Knobbe <frank at knobbe.us>

> On Wed, 2009-08-19 at 10:35 +0100, Kevin Ross wrote:
> > Hey. I have written these 4 sigs to catch SQL Injections in Cookies.
> > Can someone please read over it. I also decided to stick a PCRE check
> > also once the content matches were done for accuracy.
>
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB -
> > Possible SELECT FROM SQL Injection In Cookie";
> > flow:to_server,established; content:"Cookie|3A|"; nocase;
> > content:"SELECT"; nocase; content:"FROM"; nocase;
> > pcre:"/SELECT.+FROM/i"; classtype:web-application-attack;
>
> These are falsing on simple things like:
>
> Cookie: SelectedEdition=www; s_sess=[blah]http%
> 2525253A//
> screeningroom.blogs.cnn.com/2009/09/08/postcard-from-venice-clooney-loony-strik
> es/[blah]<http://screeningroom.blogs.cnn.com/2009/09/08/postcard-from-venice-clooney-loony-strik%0Aes/%5Bblah%5D>
>
> Would it be possible to change the "SELECT" to "SELECT " or "SELECT%20"?
> I don't think a space is valid in there, so I assume the cookie would
> contain "SELECT%20". Do you have an actual attack you can compare this
> to?
>
> Thanks,
> Frank
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090909/4005c757/attachment.html

From shepdelacreme at gmail.com  Tue Sep  8 19:51:04 2009
From: shepdelacreme at gmail.com (Daniel Shepherd)
Date: Tue, 8 Sep 2009 19:51:04 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68A81.40302@packetmail.net> <4AA698A1.1050104@jonkmans.com>
	<4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
Message-ID: <613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>

Joel,

I need some clarification on a few points of the VRT license. You  
yourself say that "You may discuss the rules and make improvements  
upon the rules on Snort's lists, you may not, however, post or  
distribute the rule."

So from that line we can't discuss the rule on this list since it is  
not a snort list. Also we cannot distribute or post the rule...so  
wouldn't that mean that if we look at the rule and make improvements  
to the ET rule we cannot then post that rule to this list, and ET  
would not be able to distribute it as part of their rule set because  
it incorporated ideas from the VRT rule?

Not trying to spread FUD just trying to get an idea of how permissive/ 
non-permissive the license is.

And lastly I'd like to point out that some of the rules are written as  
GID:3 rules which essentially makes them closed source, even if they  
aren't restricted by a contractual agreement. For instance the  
Conficker rules are GID:3 and the recent BIND DoS rule is GID:3

My issue with the way SF operates sometimes is that they specifically  
market themselves as Open Source, when really they are the "most" open  
of the big IDS engines/rules. I.E. ISS is completely closed so yeah  
you are more open than them. It seems to me if SF/VRT wanted to truly  
be open source and community friendly they would release every  
signature as open source, save for the ones under a contractual  
agreement (i.e. MS rules). If VRT doesn't want to give their work away  
then that is also fine, I don't lean one way or another but when you  
are marketing yourselves as open source then you need to live up to  
that claim.

If I'm wrong about those GID3 rules and the source is available  
somewhere then I apologize but I've never been able to get the source.

Dan

On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:

> SOME of the rules are written that way because of contractual  
> agreements with Microsoft under the MAPP program.
> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>
> However, the vast majority of the VRT rules are open for everyone to  
> read.
>
> You may discuss the rules and make improvements upon the rules on  
> Snort's lists, you may not, however, post or distribute the rule.
>
> I suggest people A) Check out the License, because clearly there is  
> misunderstanding and FUD being spread, and B) Check out the rules to  
> clear up the FUD.  (They are closed, we can't download them, other  
> misc lies.)
>
> It's not about competition between "community" vs. "Sourcefire" as  
> some people have tried to make it out to be.  I wish that would  
> stop.  I discussed this at length in an earlier email.
>
> That being said...  there are no negative content matches in the VRT  
> rule.
>
> J
>
>
>
> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <guise.mcallaster at gmail.com 
> > wrote:
> I thought the VRT rules are compiled so you can't see them in the  
> clear unless you reverse engineer it and reconstruct them.  Am I  
> wrong?  If so, can some one post it here?  Matt has a good point  
> about comparing it -- the more info we have the better.  Sharing and  
> empowerment is what gives the open source community the strength.   
> Unless, of course, you aren't open source and then it is all about  
> competitive advantage and money, greed, etc.
>
> Guise (a.k.a. G)
>
>
> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
> No, the license would prevent me from posting them.  Not from you  
> seeing them.  I am sure plenty of people on this list have a VRT  
> subscription.
>
> No FUD spreading.
>
> J
>
>
> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>  
> wrote:
> :)
>
> The license would prevent us from doing so. Or even seeing them at  
> this
> point.
>
> If you'd like to post it here so we can compare that'd be appreciated.
>
> Matt
>
> Joel Esler wrote:
> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
> >
> > J
> >
> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
> > <mailto:jonkman at jonkmans.com>> wrote:
> >
> >     Committed, again all please test. Thanks Jax and Christopher!
> >
> >     Matt
> >
> >     Campesi, Christopher wrote:
> >     >  I looked at the results of the sig and it hit way more than I
> >     expected,
> >     > sorry about that. I took what Jax replied with and used that  
> as
> >     the only
> >     > content match, that resulted in no FPs so far, like he said.
> >     >
> >     >
> >     >
> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Windows7/ 
> Vista/2k8
> >     > SMB2.0 DoS Exploit";flow:to_server,established;content:"|ff| 
> SMB|72
> >     00 00
> >     > 00 00 18 53 c8 00
> >     >
> >     26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev: 
> 1>;)
> >     >
> >     >
> >     >
> >     > -Chris
> >     >
> >     > *From:* emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf  
> Of
> >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
> >     > *To:* Matt Jonkman
> >     > *Cc:* Emerging Threats Signatures
> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> >     >
> >     >
> >     >
> >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
> >     > var EXTERNAL_NET any
> >     >
> >     > RFC1918 -> RFC1918
> >     >
> >     > One of many examples, some including
> >     >
> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft- 
> ds: Flags
> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans  
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
> >      E....D at .........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
> >      .`...m..."..l.8.
> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
> >      P..y.w.......SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
> >      %.........k.y;w.
> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
> >      .s...x.....L...4
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
> >      .T.4.T...&...E..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
> >      ........4.......
> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
> >      ............u.<.
> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
> >      C..H.S.V.$B.....
> >     >         0x00b0:  007d 0000                                .}..
> >     >
> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft- 
> ds: Flags
> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans  
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
> >      E....G at .........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
> >      .`...m..."..l.:(
> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
> >      P....P.......SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
> >      %.........0.....
> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
> >      .....x....DM...,
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
> >      .T.,.T...&...=..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
> >      ........,.......
> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
> >      ............u.<.
> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201             
> C..H.S.V.$B.
> >     >
> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft- 
> ds: Flags
> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans  
> (REQUEST)
> >     >
> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
> >      E....;@.........
> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
> >      .`...m...".6l.5.
> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
> >      P............SMB
> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
> >      %..........R:x..
> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
> >      F....x.....J...X
> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >      ................
> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
> >      .T.X.T...&...i..
> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >      \.P.I.P.E.\.....
> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
> >      ........X.......
> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
> >      @.....,..(......
> >     >         (*SNIPPED*)
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > Matt Jonkman wrote:
> >     >
> >     > Internal to internal? Or external inbound?
> >     >
> >     >
> >     >
> >     > Matt
> >     >
> >     >
> >     >
> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net 
> >>
> >     wrote:
> >     >
> >     >
> >     >
> >     >     Falsing heavily here, as in, mapping the network.  I can  
> provide
> >     >
> >     >     specifics if necessary.
> >     >
> >     >
> >     >
> >     >     Matt Jonkman wrote:
> >     >
> >     >
> >     >
> >     >         Thanks Christopher, posted for testing. Please give
> >     feedback. This is an
> >     >
> >     >         ugly problem...
> >     >
> >     >
> >     >
> >     >         Matt
> >     >
> >     >
> >     >
> >     >         Campesi, Christopher wrote:
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> >     (msg:"Remote SMB2.0 DoS
> >     >
> >     >
> >     Exploit";flow:to_server,established;content:"|00|";offset: 
> 0;content:"|ff|SMB";distance:3;content:"|00
> >     >
> >     >
> >     26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev: 
> 1>;)
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             http://securityreason.com/exploitalert/7138
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >             -Chris
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >      
> ------------------------------------------------------------------------
> >     >
> >     >
> >     >
> >     >             _______________________________________________
> >     >
> >     >             Emerging-sigs mailing list
> >     >
> >     >             Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> >     >
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >     _______________________________________________
> >     >
> >     >     Emerging-sigs mailing list
> >     >
> >     >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> >     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> >     --
> >     --------------------------------------------
> >     Matthew Jonkman
> >     Emerging Threats
> >     Open Information Security Foundation (OISF)
> >     Phone 765-429-0398
> >     Fax 312-264-0205
> >     http://www.emergingthreats.net
> >     http://www.openinformationsecurityfoundation.org
> >     --------------------------------------------
> >
> >     PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> >
> >  
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/108f3466/attachment-0001.html

From randy at procyonlabs.com  Tue Sep  8 20:42:57 2009
From: randy at procyonlabs.com (Randal T. Rioux)
Date: Tue, 08 Sep 2009 20:42:57 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA68A81.40302@packetmail.net>
	<4AA698A1.1050104@jonkmans.com>	<4AA6A04F.8060607@packetmail.net>	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	<4AA6C760.2060200@jonkmans.com>	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
Message-ID: <4AA6FA11.1000701@procyonlabs.com>

Joel Esler wrote:
<SNIP>
> That being said...  there are no negative content matches in the VRT rule.

Stop teasing! More clues, more clues! :-)

Randy

From eslerj at gmail.com  Tue Sep  8 20:48:56 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 20:48:56 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA6EC5A.7040705@packetmail.net>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<4AA6EC5A.7040705@packetmail.net>
Message-ID: <314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>

On Tue, Sep 8, 2009 at 7:44 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

>  Thanks Joel for clearing this up.  Where can I get a copy of this rule so
> that, as a community, improvements can be made?
>

The rule is available in the subscriber set until the 30 days is expired.



> Since these rules are centered around a subscription model is there a
> community-centric subscription where improvements can be made (as
> suggested)?
>

I believe the license states that if improvements are made to the VRT
ruleset then the rights belong to Sourcefire.  The VRT ruleset is not a GPL
license.



> For example, should improvements be made to this rule, as a derivative from
> the VRT rule, would I be eligible for compensation or are the benefits of
> community efforts only one-sided and beneficial to SourceFire?
>

The benefits are, if you make improvements to the rule, they are submitted
to VRT, where they are throughly tested against millions upon millions of
types of traffic and data.  Then they are redistributed to the community
through the VRT subscription.


> I'm guessing I can't get a copy of this rule unless I wait 30+ days or
> start throwing cash at SourceFire?
>

Correct.


> I'm certainly not trying to insult you on a personal level but tell me how
> I can download the VRT rule for analysis?  Ya'll (SourceFire) spin this
> "community" stuff but honestly my back is hurting from these "community"
> friendly companies standing on my shoulders while rifling through my
> pockets.
>

We aren't charging you for using Snort, I don't see how we are rifling
through your pockets?



> IMHO the "VRT has this" was spam, likely that wasn't the intent, but all it
> did was advertise VRT and create questions around licensing conditions.
>

Exactly why I said "FWIW" in the beginning of the rule.  As I said, there
are plenty of people that have the subscription on this list, and they can
benefit from the 29 bucks we charge for a single license.



> Rather than pointing us to a snipe-hunt in a subscription-based licensed
> model I'd find more value in actual content :)
>

Sorry you feel that way.  The license prohibits me from disclosing the rule.
 As I previously stated.



>
> -evilghost
>
>
> Joel Esler wrote:
>
> SOME of the rules are written that way because of contractual agreements
> with Microsoft under the MAPP program.
> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>
>  However, the vast majority of the VRT rules are open for everyone to
> read.
>
>  You may discuss the rules and make improvements upon the rules on Snort's
> lists, you may not, however, post or distribute the rule.
>
>  I suggest people A) Check out the License, because clearly there is
> misunderstanding and FUD being spread, and B) Check out the rules to clear
> up the FUD.  (They are closed, we can't download them, other misc lies.)
>
>  It's not about competition between "community" vs. "Sourcefire" as some
> people have tried to make it out to be.  I wish that would stop.  I
> discussed this at length in an earlier email.
>
>  That being said...  there are no negative content matches in the VRT
> rule.
>
>  J
>
>
>
> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <
> guise.mcallaster at gmail.com> wrote:
>
>> I thought the VRT rules are compiled so you can't see them in the clear
>> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
>> can some one post it here?  Matt has a good point about comparing it -- the
>> more info we have the better.  Sharing and empowerment is what gives the
>> open source community the strength.  Unless, of course, you aren't open
>> source and then it is all about competitive advantage and money, greed, etc.
>>
>> Guise (a.k.a. G)
>>
>> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>>
>>> No, the license would prevent me from posting them.  Not from you seeing
>>> them.  I am sure plenty of people on this list have a VRT subscription.
>>>  No FUD spreading.
>>>
>>>  J
>>>
>>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>>
>>>> :)
>>>>
>>>> The license would prevent us from doing so. Or even seeing them at this
>>>> point.
>>>>
>>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>>
>>>> Matt
>>>>
>>>> Joel Esler wrote:
>>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>>> >
>>>> > J
>>>> >
>>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>>>  > <mailto:jonkman at jonkmans.com>> wrote:
>>>> >
>>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>>> >
>>>> >     Matt
>>>> >
>>>> >     Campesi, Christopher wrote:
>>>> >     >  I looked at the results of the sig and it hit way more than I
>>>> >     expected,
>>>> >     > sorry about that. I took what Jax replied with and used that as
>>>> >     the only
>>>> >     > content match, that resulted in no FPs so far, like he said.
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>> (msg:"Windows7/Vista/2k8
>>>> >     > SMB2.0 DoS
>>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>> >     00 00
>>>> >     > 00 00 18 53 c8 00
>>>> >     >
>>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>  >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >;)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > -Chris
>>>> >     >
>>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
>>>>  >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>> >     > *To:* Matt Jonkman
>>>> >     > *Cc:* Emerging Threats Signatures
>>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>>> >     >
>>>> >     >
>>>> >     >
>>>>  >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>>>  >     > var EXTERNAL_NET any
>>>> >     >
>>>> >     > RFC1918 -> RFC1918
>>>> >     >
>>>> >     > One of many examples, some including
>>>> >     >
>>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>>> >      E....D at .........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>>> >      .`...m..."..l.8.
>>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>>> >      P..y.w.......SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>>> >      %.........k.y;w.
>>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>>> >      .s...x.....L...4
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>>> >      .T.4.T...&...E..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>>> >      ........4.......
>>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>>> >      ............u.<.
>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>>> >      C..H.S.V.$B.....
>>>> >     >         0x00b0:  007d 0000                                .}..
>>>> >     >
>>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>>> >      E....G at .........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>>> >      .`...m..."..l.:(
>>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>>> >      P....P.......SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>>> >      %.........0.....
>>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>>> >      .....x....DM...,
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>>> >      .T.,.T...&...=..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>>> >      ........,.......
>>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>>> >      ............u.<.
>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>>  C..H.S.V.$B.
>>>> >     >
>>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>>> >      E....;@.........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>>> >      .`...m...".6l.5.
>>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>>> >      P............SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>>> >      %..........R:x..
>>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>>> >      F....x.....J...X
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>>> >      .T.X.T...&...i..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>>> >      ........X.......
>>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>>> >      @.....,..(......
>>>> >     >         (*SNIPPED*)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > Matt Jonkman wrote:
>>>> >     >
>>>> >     > Internal to internal? Or external inbound?
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > Matt
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>  >     <mailto:evilghost at packetmail.net <mailto:
>>>> evilghost at packetmail.net>>
>>>> >     wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>>> provide
>>>> >     >
>>>> >     >     specifics if necessary.
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     Matt Jonkman wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Thanks Christopher, posted for testing. Please give
>>>> >     feedback. This is an
>>>> >     >
>>>> >     >         ugly problem...
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Matt
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Campesi, Christopher wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>> >     (msg:"Remote SMB2.0 DoS
>>>> >     >
>>>> >     >
>>>> >
>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>> >     >
>>>> >     >
>>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>  >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >;)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             http://securityreason.com/exploitalert/7138
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             -Chris
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             _______________________________________________
>>>> >     >
>>>> >     >             Emerging-sigs mailing list
>>>> >     >
>>>> >     >             Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>> >     >
>>>> >     >
>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     _______________________________________________
>>>> >     >
>>>> >     >     Emerging-sigs mailing list
>>>> >     >
>>>> >     >     Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>  >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>> >     >
>>>> >     >
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >
>>>> >     --
>>>> >     --------------------------------------------
>>>> >     Matthew Jonkman
>>>> >     Emerging Threats
>>>> >     Open Information Security Foundation (OISF)
>>>> >     Phone 765-429-0398
>>>> >     Fax 312-264-0205
>>>> >     http://www.emergingthreats.net
>>>> >     http://www.openinformationsecurityfoundation.org
>>>> >     --------------------------------------------
>>>> >
>>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>> >
>>>> >
>>>> >     _______________________________________________
>>>> >     Emerging-sigs mailing list
>>>> >     Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> >
>>>> > _______________________________________________
>>>> > Emerging-sigs mailing list
>>>> > Emerging-sigs at emergingthreats.net
>>>>  > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> --
>>>> --------------------------------------------
>>>> Matthew Jonkman
>>>> Emerging Threats
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-429-0398
>>>> Fax 312-264-0205
>>>> http://www.emergingthreats.net
>>>> http://www.openinformationsecurityfoundation.org
>>>> --------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>
>  ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/c3d45603/attachment-0001.html

From eslerj at gmail.com  Tue Sep  8 21:02:23 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 21:02:23 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>
Message-ID: <314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>

On Tue, Sep 8, 2009 at 7:51 PM, Daniel Shepherd <shepdelacreme at gmail.com>wrote:

> Joel,
> I need some clarification on a few points of the VRT license. You yourself
> say that "You may discuss the rules and make improvements upon the rules on
> Snort's lists, you may not, however, post or distribute the rule."
>

I paraphrased.  You'll need to read the license.
http://www.snort.org/vrt/rules/vrt_license



> So from that line we can't discuss the rule on this list since it is not a
> snort list. Also we cannot distribute or post the rule...so wouldn't that
> mean that if we look at the rule and make improvements to the ET rule we
> cannot then post that rule to this list, and ET would not be able to
> distribute it as part of their rule set because it incorporated ideas from
> the VRT rule?
>

If you make improvements to the ET rule, you make improvements to the ET
rule.  This rule is separate from the VRT.



> Not trying to spread FUD just trying to get an idea of how
> permissive/non-permissive the license is.
>

Please read the license.


> And lastly I'd like to point out that some of the rules are written as
> GID:3 rules which essentially makes them closed source, even if they aren't
> restricted by a contractual agreement. For instance the Conficker rules are
> GID:3 and the recent BIND DoS rule is GID:3
>

Some rules are written as GID that are non-ms for a reason as well.  A GID 3
rule (Shared Object) is a rule written in the C language, not in Snort rules
language.  Because they are written in C they allow the VRT to do extremely
complicated things inside of a rule that are not possible in GID:1 rules.
 For example, the Conficker rule.  There is some very advanced Floating
Point math in that rule.  That type of thing sure can't be done in a GID:1.



> My issue with the way SF operates sometimes is that they specifically
> market themselves as Open Source, when really they are the "most" open of
> the big IDS engines/rules. I.E. ISS is completely closed so yeah you are
> more open than them. It seems to me if SF/VRT wanted to truly be open source
> and community friendly they would release every signature as open source,
> save for the ones under a contractual agreement (i.e. MS rules). If VRT
> doesn't want to give their work away then that is also fine, I don't lean
> one way or another but when you are marketing yourselves as open source then
> you need to live up to that claim.
>

Some rules can't be done in the normal way, like Confiker, like
Trufflehunter, etc.  That's why the SO rule language was developed.  Anyone
can write an SO rule, just read the documentation and examples that outline
its structure in the Snort manual.  Sourcefire is a complicated company.
 Our engine is open source.  Most of our rules are open and readable, but
you can't resell them or make them available to anyone else.  The VRT
license was created just before I came to Sourcefire, but from what I
understand, the license was created because several companies were taking
the rules, stripping our copyright out of them and selling them.


> If I'm wrong about those GID3 rules and the source is available somewhere
> then I apologize but I've never been able to get the source.
>

Some of the GID3 rules source is available, but I am not exactly sure which
ones, as I haven't looked in a long time (pulledpork manages my rules for
me, saves me all kinds of time in dealing with shared object rules, as it
handles all the shared object rules automatically)



>
> Dan
>
> On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:
>
> SOME of the rules are written that way because of contractual agreements
> with Microsoft under the MAPP program.
> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>
> However, the vast majority of the VRT rules are open for everyone to read.
>
> You may discuss the rules and make improvements upon the rules on Snort's
> lists, you may not, however, post or distribute the rule.
>
> I suggest people A) Check out the License, because clearly there is
> misunderstanding and FUD being spread, and B) Check out the rules to clear
> up the FUD.  (They are closed, we can't download them, other misc lies.)
>
> It's not about competition between "community" vs. "Sourcefire" as some
> people have tried to make it out to be.  I wish that would stop.  I
> discussed this at length in an earlier email.
>
> That being said...  there are no negative content matches in the VRT rule.
>
> J
>
>
>
> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <
> guise.mcallaster at gmail.com> wrote:
>
>> I thought the VRT rules are compiled so you can't see them in the clear
>> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
>> can some one post it here?  Matt has a good point about comparing it -- the
>> more info we have the better.  Sharing and empowerment is what gives the
>> open source community the strength.  Unless, of course, you aren't open
>> source and then it is all about competitive advantage and money, greed, etc.
>>
>> Guise (a.k.a. G)
>>
>>
>> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>>
>>> No, the license would prevent me from posting them.  Not from you seeing
>>> them.  I am sure plenty of people on this list have a VRT subscription.
>>> No FUD spreading.
>>>
>>> J
>>>
>>>
>>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>>
>>>> :)
>>>>
>>>> The license would prevent us from doing so. Or even seeing them at this
>>>> point.
>>>>
>>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>>
>>>> Matt
>>>>
>>>> Joel Esler wrote:
>>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>>> >
>>>> > J
>>>> >
>>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>>> > <mailto:jonkman at jonkmans.com>> wrote:
>>>> >
>>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>>> >
>>>> >     Matt
>>>> >
>>>> >     Campesi, Christopher wrote:
>>>> >     >  I looked at the results of the sig and it hit way more than I
>>>> >     expected,
>>>> >     > sorry about that. I took what Jax replied with and used that as
>>>> >     the only
>>>> >     > content match, that resulted in no FPs so far, like he said.
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>> (msg:"Windows7/Vista/2k8
>>>> >     > SMB2.0 DoS
>>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>> >     00 00
>>>> >     > 00 00 18 53 c8 00
>>>> >     >
>>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >;)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > -Chris
>>>> >     >
>>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf Of
>>>> >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>> >     > *To:* Matt Jonkman
>>>> >     > *Cc:* Emerging Threats Signatures
>>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>>> >     > var EXTERNAL_NET any
>>>> >     >
>>>> >     > RFC1918 -> RFC1918
>>>> >     >
>>>> >     > One of many examples, some including
>>>> >     >
>>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>>> >      E....D at .........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>>> >      .`...m..."..l.8.
>>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>>> >      P..y.w.......SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>>> >      %.........k.y;w.
>>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>>> >      .s...x.....L...4
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>>> >      .T.4.T...&...E..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>>> >      ........4.......
>>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>>> >      ............u.<.
>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>>> >      C..H.S.V.$B.....
>>>> >     >         0x00b0:  007d 0000                                .}..
>>>> >     >
>>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>>> >      E....G at .........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>>> >      .`...m..."..l.:(
>>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>>> >      P....P.......SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>>> >      %.........0.....
>>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>>> >      .....x....DM...,
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>>> >      .T.,.T...&...=..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>>> >      ........,.......
>>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>>> >      ............u.<.
>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>>  C..H.S.V.$B.
>>>> >     >
>>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 > 10.96.aa.bb.microsoft-ds:
>>>> Flags
>>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>>> (REQUEST)
>>>> >     >
>>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>>> >      E....;@.........
>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>>> >      .`...m...".6l.5.
>>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>>> >      P............SMB
>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>>> >      %..........R:x..
>>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>>> >      F....x.....J...X
>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>> >      ................
>>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>>> >      .T.X.T...&...i..
>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>> >      \.P.I.P.E.\.....
>>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>>> >      ........X.......
>>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>>> >      @.....,..(......
>>>> >     >         (*SNIPPED*)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > Matt Jonkman wrote:
>>>> >     >
>>>> >     > Internal to internal? Or external inbound?
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > Matt
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net
>>>> >>
>>>> >     wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>>> provide
>>>> >     >
>>>> >     >     specifics if necessary.
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     Matt Jonkman wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Thanks Christopher, posted for testing. Please give
>>>> >     feedback. This is an
>>>> >     >
>>>> >     >         ugly problem...
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Matt
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >         Campesi, Christopher wrote:
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>> >     (msg:"Remote SMB2.0 DoS
>>>> >     >
>>>> >     >
>>>> >
>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>> >     >
>>>> >     >
>>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>> >;)
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             http://securityreason.com/exploitalert/7138
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             -Chris
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >             _______________________________________________
>>>> >     >
>>>> >     >             Emerging-sigs mailing list
>>>> >     >
>>>> >     >             Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>> >     >
>>>> >     >
>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >     _______________________________________________
>>>> >     >
>>>> >     >     Emerging-sigs mailing list
>>>> >     >
>>>> >     >     Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>> >     >
>>>> >     >
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >
>>>> >     --
>>>> >     --------------------------------------------
>>>> >     Matthew Jonkman
>>>> >     Emerging Threats
>>>> >     Open Information Security Foundation (OISF)
>>>> >     Phone 765-429-0398
>>>> >     Fax 312-264-0205
>>>> >     http://www.emergingthreats.net
>>>> >     http://www.openinformationsecurityfoundation.org
>>>> >     --------------------------------------------
>>>> >
>>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>> >
>>>> >
>>>> >     _______________________________________________
>>>> >     Emerging-sigs mailing list
>>>> >     Emerging-sigs at emergingthreats.net
>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> >
>>>> > _______________________________________________
>>>> > Emerging-sigs mailing list
>>>> > Emerging-sigs at emergingthreats.net
>>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> --
>>>> --------------------------------------------
>>>> Matthew Jonkman
>>>> Emerging Threats
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-429-0398
>>>> Fax 312-264-0205
>>>> http://www.emergingthreats.net
>>>> http://www.openinformationsecurityfoundation.org
>>>> --------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/9961b1f7/attachment-0001.html

From kevross33 at googlemail.com  Tue Sep  8 21:03:44 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Wed, 9 Sep 2009 02:03:44 +0100
Subject: [Emerging-Sigs] TCP/IP 0 window Dos sig attempt
Message-ID: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>

I am unsure of this sig big time for accuracy and false positives. However;
I still thought I might have a go :) Anyhoo what I have here is a window
size of 0 (not sure if flags are needed as I guess it could be anything)
then a large number of them to a single destination (though I am unsure how
many and how fast the connections can be made to exhaust connections).

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Possible TCP/IP
Window Size Processing Denial of Service Vulnerability"; flow:to_client;
window:0; threshold: type threshold, track by_src, count 100, seconds 60;
clastype:attempted-dos; reference:url,
tools.cisco.com/security/center/viewAlert.x?alertId=18799; reference:url,
www.securityfocus.com/bid/31545/info; sid:18000001; rev:1;)

Anyone know anymore or is this type of weakness in the TCP/IP Stack not good
sig material?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090909/a8a4edd2/attachment.html

From guise.mcallaster at gmail.com  Tue Sep  8 21:09:45 2009
From: guise.mcallaster at gmail.com (Guise McAllaster)
Date: Wed, 9 Sep 2009 01:09:45 +0000
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<4AA6EC5A.7040705@packetmail.net>
	<314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>
Message-ID: <ab3c24b60909081809w32b0987eu7b003bba4a06ee42@mail.gmail.com>

Very enlightening, indeed.  Now I would like to propose an "ET License" that
is pretty much exactly like a GPL license except that the contents that it
protects cannot in any way, ever be used by Sourcefire/VRT (for example, to
make money).  Of course the real open source community can benefit all she
wants, especially since it will share the fruits of its labor with others
and recognize that its product is not simply a product of itself but a
result of positive collaboration and freedom (as in open source).

Matt, can we institute an ET License so the SF/VRT leeches can't legally
make money off the hard work of caring and sharing people?

It seems like all this, "VRT just put one out if you want to look at it"
talk is really is snake oil b/c there really isn't a way to "look at it"
(and even if you are a VRT subscriber, can you see the plaintext (i.e.
uncompiled) rule?).

Please post it J, since you have already announced its existence and
implored us to check it out.

*G*

On Wed, Sep 9, 2009 at 12:48 AM, Joel Esler <eslerj at gmail.com> wrote:

> On Tue, Sep 8, 2009 at 7:44 PM, evilghost at packetmail.net <
> evilghost at packetmail.net> wrote:
>
>>  Thanks Joel for clearing this up.  Where can I get a copy of this rule so
>> that, as a community, improvements can be made?
>>
>
> The rule is available in the subscriber set until the 30 days is expired.
>
>
>
>> Since these rules are centered around a subscription model is there a
>> community-centric subscription where improvements can be made (as
>> suggested)?
>>
>
> I believe the license states that if improvements are made to the VRT
> ruleset then the rights belong to Sourcefire.  The VRT ruleset is not a GPL
> license.
>
>
>
>> For example, should improvements be made to this rule, as a derivative
>> from the VRT rule, would I be eligible for compensation or are the benefits
>> of community efforts only one-sided and beneficial to SourceFire?
>>
>
> The benefits are, if you make improvements to the rule, they are submitted
> to VRT, where they are throughly tested against millions upon millions of
> types of traffic and data.  Then they are redistributed to the community
> through the VRT subscription.
>
>
>> I'm guessing I can't get a copy of this rule unless I wait 30+ days or
>> start throwing cash at SourceFire?
>>
>
> Correct.
>
>
>> I'm certainly not trying to insult you on a personal level but tell me how
>> I can download the VRT rule for analysis?  Ya'll (SourceFire) spin this
>> "community" stuff but honestly my back is hurting from these "community"
>> friendly companies standing on my shoulders while rifling through my
>> pockets.
>>
>
> We aren't charging you for using Snort, I don't see how we are rifling
> through your pockets?
>
>
>
>> IMHO the "VRT has this" was spam, likely that wasn't the intent, but all
>> it did was advertise VRT and create questions around licensing conditions.
>>
>
> Exactly why I said "FWIW" in the beginning of the rule.  As I said, there
> are plenty of people that have the subscription on this list, and they can
> benefit from the 29 bucks we charge for a single license.
>
>
>
>> Rather than pointing us to a snipe-hunt in a subscription-based licensed
>> model I'd find more value in actual content :)
>>
>
> Sorry you feel that way.  The license prohibits me from disclosing the
> rule.  As I previously stated.
>
>
>
>>
>> -evilghost
>>
>>
>> Joel Esler wrote:
>>
>> SOME of the rules are written that way because of contractual agreements
>> with Microsoft under the MAPP program.
>> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>
>>  However, the vast majority of the VRT rules are open for everyone to
>> read.
>>
>>  You may discuss the rules and make improvements upon the rules on
>> Snort's lists, you may not, however, post or distribute the rule.
>>
>>  I suggest people A) Check out the License, because clearly there is
>> misunderstanding and FUD being spread, and B) Check out the rules to clear
>> up the FUD.  (They are closed, we can't download them, other misc lies.)
>>
>>  It's not about competition between "community" vs. "Sourcefire" as some
>> people have tried to make it out to be.  I wish that would stop.  I
>> discussed this at length in an earlier email.
>>
>>  That being said...  there are no negative content matches in the VRT
>> rule.
>>
>>  J
>>
>>
>>
>> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <
>> guise.mcallaster at gmail.com> wrote:
>>
>>> I thought the VRT rules are compiled so you can't see them in the clear
>>> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
>>> can some one post it here?  Matt has a good point about comparing it -- the
>>> more info we have the better.  Sharing and empowerment is what gives the
>>> open source community the strength.  Unless, of course, you aren't open
>>> source and then it is all about competitive advantage and money, greed, etc.
>>>
>>> Guise (a.k.a. G)
>>>
>>> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>>>
>>>> No, the license would prevent me from posting them.  Not from you seeing
>>>> them.  I am sure plenty of people on this list have a VRT subscription.
>>>>  No FUD spreading.
>>>>
>>>>  J
>>>>
>>>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>>>
>>>>> :)
>>>>>
>>>>> The license would prevent us from doing so. Or even seeing them at this
>>>>> point.
>>>>>
>>>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>>>
>>>>> Matt
>>>>>
>>>>> Joel Esler wrote:
>>>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>>>> >
>>>>> > J
>>>>> >
>>>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>>>>  > <mailto:jonkman at jonkmans.com>> wrote:
>>>>> >
>>>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>>>> >
>>>>> >     Matt
>>>>> >
>>>>> >     Campesi, Christopher wrote:
>>>>> >     >  I looked at the results of the sig and it hit way more than I
>>>>> >     expected,
>>>>> >     > sorry about that. I took what Jax replied with and used that as
>>>>> >     the only
>>>>> >     > content match, that resulted in no FPs so far, like he said.
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>> (msg:"Windows7/Vista/2k8
>>>>> >     > SMB2.0 DoS
>>>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>>> >     00 00
>>>>> >     > 00 00 18 53 c8 00
>>>>> >     >
>>>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>  >     <
>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > -Chris
>>>>> >     >
>>>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf
>>>>> Of
>>>>>  >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>>> >     > *To:* Matt Jonkman
>>>>> >     > *Cc:* Emerging Threats Signatures
>>>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>>  >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>>>>  >     > var EXTERNAL_NET any
>>>>> >     >
>>>>> >     > RFC1918 -> RFC1918
>>>>> >     >
>>>>> >     > One of many examples, some including
>>>>> >     >
>>>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>>>> >      E....D at .........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>>>> >      .`...m..."..l.8.
>>>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>>>> >      P..y.w.......SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>>>> >      %.........k.y;w.
>>>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>>>> >      .s...x.....L...4
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>>>> >      .T.4.T...&...E..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>>>> >      ........4.......
>>>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>>>> >      ............u.<.
>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>>>> >      C..H.S.V.$B.....
>>>>> >     >         0x00b0:  007d 0000                                .}..
>>>>> >     >
>>>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>>>> >      E....G at .........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>>>> >      .`...m..."..l.:(
>>>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>>>> >      P....P.......SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>>>> >      %.........0.....
>>>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>>>> >      .....x....DM...,
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>>>> >      .T.,.T...&...=..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>>>> >      ........,.......
>>>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>>>> >      ............u.<.
>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>>>  C..H.S.V.$B.
>>>>> >     >
>>>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>>>> >      E....;@.........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>>>> >      .`...m...".6l.5.
>>>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>>>> >      P............SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>>>> >      %..........R:x..
>>>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>>>> >      F....x.....J...X
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>>>> >      .T.X.T...&...i..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>>>> >      ........X.......
>>>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>>>> >      @.....,..(......
>>>>> >     >         (*SNIPPED*)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > Matt Jonkman wrote:
>>>>> >     >
>>>>> >     > Internal to internal? Or external inbound?
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > Matt
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>>  >     <mailto:evilghost at packetmail.net <mailto:
>>>>> evilghost at packetmail.net>>
>>>>> >     wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>>>> provide
>>>>> >     >
>>>>> >     >     specifics if necessary.
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     Matt Jonkman wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Thanks Christopher, posted for testing. Please give
>>>>> >     feedback. This is an
>>>>> >     >
>>>>> >     >         ugly problem...
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Matt
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Campesi, Christopher wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>> >     (msg:"Remote SMB2.0 DoS
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>>> >     >
>>>>> >     >
>>>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>  >     <
>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             http://securityreason.com/exploitalert/7138
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             -Chris
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> ------------------------------------------------------------------------
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             _______________________________________________
>>>>> >     >
>>>>> >     >             Emerging-sigs mailing list
>>>>> >     >
>>>>> >     >             Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>> >     >
>>>>> >     >
>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     _______________________________________________
>>>>> >     >
>>>>> >     >     Emerging-sigs mailing list
>>>>> >     >
>>>>> >     >     Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>>  >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>> >     >
>>>>> >     >
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> >     --
>>>>> >     --------------------------------------------
>>>>> >     Matthew Jonkman
>>>>> >     Emerging Threats
>>>>> >     Open Information Security Foundation (OISF)
>>>>> >     Phone 765-429-0398
>>>>> >     Fax 312-264-0205
>>>>> >     http://www.emergingthreats.net
>>>>> >     http://www.openinformationsecurityfoundation.org
>>>>> >     --------------------------------------------
>>>>> >
>>>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>> >
>>>>> >
>>>>> >     _______________________________________________
>>>>> >     Emerging-sigs mailing list
>>>>> >     Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> ------------------------------------------------------------------------
>>>>> >
>>>>> > _______________________________________________
>>>>> > Emerging-sigs mailing list
>>>>> > Emerging-sigs at emergingthreats.net
>>>>>  > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> --
>>>>> --------------------------------------------
>>>>> Matthew Jonkman
>>>>> Emerging Threats
>>>>> Open Information Security Foundation (OISF)
>>>>> Phone 765-429-0398
>>>>> Fax 312-264-0205
>>>>> http://www.emergingthreats.net
>>>>> http://www.openinformationsecurityfoundation.org
>>>>> --------------------------------------------
>>>>>
>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>>
>>>
>>  ------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090909/be340d8a/attachment-0001.html

From eslerj at gmail.com  Tue Sep  8 21:26:20 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 21:26:20 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <ab3c24b60909081809w32b0987eu7b003bba4a06ee42@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<4AA6EC5A.7040705@packetmail.net>
	<314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>
	<ab3c24b60909081809w32b0987eu7b003bba4a06ee42@mail.gmail.com>
Message-ID: <314cf0830909081826u165a0fddk48366c79eb8b8042@mail.gmail.com>

On Tue, Sep 8, 2009 at 9:09 PM, Guise McAllaster <guise.mcallaster at gmail.com
> wrote:

> Very enlightening, indeed.  Now I would like to propose an "ET License"
> that is pretty much exactly like a GPL license except that the contents that
> it protects cannot in any way, ever be used by Sourcefire/VRT (for example,
> to make money).  Of course the real open source community can benefit all
> she wants, especially since it will share the fruits of its labor with
> others and recognize that its product is not simply a product of itself but
> a result of positive collaboration and freedom (as in open source).
>

I think the ET license is currently BSD based.



> Matt, can we institute an ET License so the SF/VRT leeches can't legally
> make money off the hard work of caring and sharing people?
>

This is one of the reasons that the OSSRC was founded years ago, to
coordinate the movement of ET/BS rules into Snort's official sets, however,
some of the people managing this project have left their jobs leaving it
limbo.  This is a project that I hope to take up in the future and
reestablish.



> It seems like all this, "VRT just put one out if you want to look at it"
> talk is really is snake oil b/c there really isn't a way to "look at it"
> (and even if you are a VRT subscriber, can you see the plaintext (i.e.
> uncompiled) rule?).
>

Yes.  Except for some of the SO rules (as previously discussed), you can
look at every rule that is in the VRT set the same as you would the ET
rules.  Who do you think made the rule language up?



> Please post it J, since you have already announced its existence and
> implored us to check it out.
>

I legally cannot.  I'd like to keep my job. :)



>
> *G*
>
>
> On Wed, Sep 9, 2009 at 12:48 AM, Joel Esler <eslerj at gmail.com> wrote:
>
>> On Tue, Sep 8, 2009 at 7:44 PM, evilghost at packetmail.net <
>> evilghost at packetmail.net> wrote:
>>
>>>  Thanks Joel for clearing this up.  Where can I get a copy of this rule
>>> so that, as a community, improvements can be made?
>>>
>>
>> The rule is available in the subscriber set until the 30 days is expired.
>>
>>
>>
>>> Since these rules are centered around a subscription model is there a
>>> community-centric subscription where improvements can be made (as
>>> suggested)?
>>>
>>
>> I believe the license states that if improvements are made to the VRT
>> ruleset then the rights belong to Sourcefire.  The VRT ruleset is not a GPL
>> license.
>>
>>
>>
>>> For example, should improvements be made to this rule, as a derivative
>>> from the VRT rule, would I be eligible for compensation or are the benefits
>>> of community efforts only one-sided and beneficial to SourceFire?
>>>
>>
>> The benefits are, if you make improvements to the rule, they are submitted
>> to VRT, where they are throughly tested against millions upon millions of
>> types of traffic and data.  Then they are redistributed to the community
>> through the VRT subscription.
>>
>>
>>> I'm guessing I can't get a copy of this rule unless I wait 30+ days or
>>> start throwing cash at SourceFire?
>>>
>>
>> Correct.
>>
>>
>>>  I'm certainly not trying to insult you on a personal level but tell me
>>> how I can download the VRT rule for analysis?  Ya'll (SourceFire) spin this
>>> "community" stuff but honestly my back is hurting from these "community"
>>> friendly companies standing on my shoulders while rifling through my
>>> pockets.
>>>
>>
>> We aren't charging you for using Snort, I don't see how we are rifling
>> through your pockets?
>>
>>
>>
>>> IMHO the "VRT has this" was spam, likely that wasn't the intent, but all
>>> it did was advertise VRT and create questions around licensing conditions.
>>>
>>
>> Exactly why I said "FWIW" in the beginning of the rule.  As I said, there
>> are plenty of people that have the subscription on this list, and they can
>> benefit from the 29 bucks we charge for a single license.
>>
>>
>>
>>> Rather than pointing us to a snipe-hunt in a subscription-based licensed
>>> model I'd find more value in actual content :)
>>>
>>
>> Sorry you feel that way.  The license prohibits me from disclosing the
>> rule.  As I previously stated.
>>
>>
>>
>>>
>>> -evilghost
>>>
>>>
>>> Joel Esler wrote:
>>>
>>> SOME of the rules are written that way because of contractual agreements
>>> with Microsoft under the MAPP program.
>>> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>>
>>>  However, the vast majority of the VRT rules are open for everyone to
>>> read.
>>>
>>>  You may discuss the rules and make improvements upon the rules on
>>> Snort's lists, you may not, however, post or distribute the rule.
>>>
>>>  I suggest people A) Check out the License, because clearly there is
>>> misunderstanding and FUD being spread, and B) Check out the rules to clear
>>> up the FUD.  (They are closed, we can't download them, other misc lies.)
>>>
>>>  It's not about competition between "community" vs. "Sourcefire" as some
>>> people have tried to make it out to be.  I wish that would stop.  I
>>> discussed this at length in an earlier email.
>>>
>>>  That being said...  there are no negative content matches in the VRT
>>> rule.
>>>
>>>  J
>>>
>>>
>>>
>>> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <
>>> guise.mcallaster at gmail.com> wrote:
>>>
>>>> I thought the VRT rules are compiled so you can't see them in the clear
>>>> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
>>>> can some one post it here?  Matt has a good point about comparing it -- the
>>>> more info we have the better.  Sharing and empowerment is what gives the
>>>> open source community the strength.  Unless, of course, you aren't open
>>>> source and then it is all about competitive advantage and money, greed, etc.
>>>>
>>>> Guise (a.k.a. G)
>>>>
>>>> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>>>>
>>>>> No, the license would prevent me from posting them.  Not from you
>>>>> seeing them.  I am sure plenty of people on this list have a VRT
>>>>> subscription.
>>>>>  No FUD spreading.
>>>>>
>>>>>  J
>>>>>
>>>>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>>>>
>>>>>> :)
>>>>>>
>>>>>> The license would prevent us from doing so. Or even seeing them at
>>>>>> this
>>>>>> point.
>>>>>>
>>>>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> Joel Esler wrote:
>>>>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>>>>> >
>>>>>> > J
>>>>>> >
>>>>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>>>>>  > <mailto:jonkman at jonkmans.com>> wrote:
>>>>>> >
>>>>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>>>>> >
>>>>>> >     Matt
>>>>>> >
>>>>>> >     Campesi, Christopher wrote:
>>>>>> >     >  I looked at the results of the sig and it hit way more than I
>>>>>> >     expected,
>>>>>> >     > sorry about that. I took what Jax replied with and used that
>>>>>> as
>>>>>> >     the only
>>>>>> >     > content match, that resulted in no FPs so far, like he said.
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>>> (msg:"Windows7/Vista/2k8
>>>>>> >     > SMB2.0 DoS
>>>>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>>>> >     00 00
>>>>>> >     > 00 00 18 53 c8 00
>>>>>> >     >
>>>>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>>  >     <
>>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     > -Chris
>>>>>> >     >
>>>>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf
>>>>>> Of
>>>>>>  >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>>>> >     > *To:* Matt Jonkman
>>>>>> >     > *Cc:* Emerging Threats Signatures
>>>>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>>  >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>>>>>  >     > var EXTERNAL_NET any
>>>>>> >     >
>>>>>> >     > RFC1918 -> RFC1918
>>>>>> >     >
>>>>>> >     > One of many examples, some including
>>>>>> >     >
>>>>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>>>>> (REQUEST)
>>>>>> >     >
>>>>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>>>>> >      E....D at .........
>>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>>>>> >      .`...m..."..l.8.
>>>>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>>>>> >      P..y.w.......SMB
>>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>>>>> >      %.........k.y;w.
>>>>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>>>>> >      .s...x.....L...4
>>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>>> >      ................
>>>>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>>>>> >      .T.4.T...&...E..
>>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>>> >      \.P.I.P.E.\.....
>>>>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>>>>> >      ........4.......
>>>>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>>>>> >      ............u.<.
>>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>>>>> >      C..H.S.V.$B.....
>>>>>> >     >         0x00b0:  007d 0000                                .}..
>>>>>> >     >
>>>>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>>>>> (REQUEST)
>>>>>> >     >
>>>>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>>>>> >      E....G at .........
>>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>>>>> >      .`...m..."..l.:(
>>>>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>>>>> >      P....P.......SMB
>>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>>>>> >      %.........0.....
>>>>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>>>>> >      .....x....DM...,
>>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>>> >      ................
>>>>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>>>>> >      .T.,.T...&...=..
>>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>>> >      \.P.I.P.E.\.....
>>>>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>>>>> >      ........,.......
>>>>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>>>>> >      ............u.<.
>>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>>>>  C..H.S.V.$B.
>>>>>> >     >
>>>>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>>>>> (REQUEST)
>>>>>> >     >
>>>>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>>>>> >      E....;@.........
>>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>>>>> >      .`...m...".6l.5.
>>>>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>>>>> >      P............SMB
>>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>>>>> >      %..........R:x..
>>>>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>>>>> >      F....x.....J...X
>>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>>> >      ................
>>>>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>>>>> >      .T.X.T...&...i..
>>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>>> >      \.P.I.P.E.\.....
>>>>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>>>>> >      ........X.......
>>>>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>>>>> >      @.....,..(......
>>>>>> >     >         (*SNIPPED*)
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     > Matt Jonkman wrote:
>>>>>> >     >
>>>>>> >     > Internal to internal? Or external inbound?
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     > Matt
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>>>  >     <mailto:evilghost at packetmail.net <mailto:
>>>>>> evilghost at packetmail.net>>
>>>>>> >     wrote:
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>>>>> provide
>>>>>> >     >
>>>>>> >     >     specifics if necessary.
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >     Matt Jonkman wrote:
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >         Thanks Christopher, posted for testing. Please give
>>>>>> >     feedback. This is an
>>>>>> >     >
>>>>>> >     >         ugly problem...
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >         Matt
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >         Campesi, Christopher wrote:
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>>> >     (msg:"Remote SMB2.0 DoS
>>>>>> >     >
>>>>>> >     >
>>>>>> >
>>>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>>>> >     >
>>>>>> >     >
>>>>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>>  >     <
>>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >             http://securityreason.com/exploitalert/7138
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >             -Chris
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >
>>>>>> ------------------------------------------------------------------------
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >             _______________________________________________
>>>>>> >     >
>>>>>> >     >             Emerging-sigs mailing list
>>>>>> >     >
>>>>>> >     >             Emerging-sigs at emergingthreats.net
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>>> >     >
>>>>>> >     >
>>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >     _______________________________________________
>>>>>> >     >
>>>>>> >     >     Emerging-sigs mailing list
>>>>>> >     >
>>>>>> >     >     Emerging-sigs at emergingthreats.net
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>>>  >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>>> >     >
>>>>>> >     >
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >     >
>>>>>> >
>>>>>> >     --
>>>>>> >     --------------------------------------------
>>>>>> >     Matthew Jonkman
>>>>>> >     Emerging Threats
>>>>>> >     Open Information Security Foundation (OISF)
>>>>>> >     Phone 765-429-0398
>>>>>> >     Fax 312-264-0205
>>>>>> >     http://www.emergingthreats.net
>>>>>> >     http://www.openinformationsecurityfoundation.org
>>>>>> >     --------------------------------------------
>>>>>> >
>>>>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>> >
>>>>>> >
>>>>>> >     _______________________________________________
>>>>>> >     Emerging-sigs mailing list
>>>>>> >     Emerging-sigs at emergingthreats.net
>>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> ------------------------------------------------------------------------
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > Emerging-sigs mailing list
>>>>>> > Emerging-sigs at emergingthreats.net
>>>>>>  > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>
>>>>>> --
>>>>>> --------------------------------------------
>>>>>> Matthew Jonkman
>>>>>> Emerging Threats
>>>>>> Open Information Security Foundation (OISF)
>>>>>> Phone 765-429-0398
>>>>>> Fax 312-264-0205
>>>>>> http://www.emergingthreats.net
>>>>>> http://www.openinformationsecurityfoundation.org
>>>>>> --------------------------------------------
>>>>>>
>>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>>
>>>>
>>>  ------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/eeffffb7/attachment-0001.html

From eslerj at gmail.com  Tue Sep  8 21:27:46 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 21:27:46 -0400
Subject: [Emerging-Sigs] TCP/IP 0 window Dos sig attempt
In-Reply-To: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
References: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
Message-ID: <314cf0830909081827q2385e81bp12e7d8a7181751fd@mail.gmail.com>

Would your flow need to be to_server?  probably a "to_server,stateless;"
might be necessary here.
(Note:  I have not looked at the vulnerability)

J

On Tue, Sep 8, 2009 at 9:03 PM, Kevin Ross <kevross33 at googlemail.com> wrote:

> I am unsure of this sig big time for accuracy and false positives. However;
> I still thought I might have a go :) Anyhoo what I have here is a window
> size of 0 (not sure if flags are needed as I guess it could be anything)
> then a large number of them to a single destination (though I am unsure how
> many and how fast the connections can be made to exhaust connections).
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Possible TCP/IP
> Window Size Processing Denial of Service Vulnerability"; flow:to_client;
> window:0; threshold: type threshold, track by_src, count 100, seconds 60;
> clastype:attempted-dos; reference:url,
> tools.cisco.com/security/center/viewAlert.x?alertId=18799; reference:url,
> www.securityfocus.com/bid/31545/info; sid:18000001; rev:1;)
>
> Anyone know anymore or is this type of weakness in the TCP/IP Stack not
> good sig material?
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/c5d2cc7d/attachment.html

From eslerj at gmail.com  Tue Sep  8 21:28:45 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 21:28:45 -0400
Subject: [Emerging-Sigs] 4 SQL Injection Sigs,
	Can Someone Check My PCRE 	Though
In-Reply-To: <e75cc74a0909081644q19f2d514x50874d7303352b2e@mail.gmail.com>
References: <e75cc74a0908190235j7435e685q1d22ece1fd9bd50c@mail.gmail.com>
	<1252440237.55402.115.camel@localhost>
	<e75cc74a0909081644q19f2d514x50874d7303352b2e@mail.gmail.com>
Message-ID: <314cf0830909081828y19aa9ee4wff4f90d070b0e021@mail.gmail.com>

Can you use a \b in your pcre?
Do you have a pcap to match the rules against?

J

On Tue, Sep 8, 2009 at 7:44 PM, Kevin Ross <kevross33 at googlemail.com> wrote:

> Hmmm perhaps a space can go in, I thought %20 was a space in the URI
> though? How often does it false positive? What are other's experiences? I
> haven't had an FPs with this sig personally at home and at work with 20,000
> users but we don't have any publicly accessible web servers.
>
> Kev
>
> 2009/9/8 Frank Knobbe <frank at knobbe.us>
>
> On Wed, 2009-08-19 at 10:35 +0100, Kevin Ross wrote:
>> > Hey. I have written these 4 sigs to catch SQL Injections in Cookies.
>> > Can someone please read over it. I also decided to stick a PCRE check
>> > also once the content matches were done for accuracy.
>>
>> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB -
>> > Possible SELECT FROM SQL Injection In Cookie";
>> > flow:to_server,established; content:"Cookie|3A|"; nocase;
>> > content:"SELECT"; nocase; content:"FROM"; nocase;
>> > pcre:"/SELECT.+FROM/i"; classtype:web-application-attack;
>>
>> These are falsing on simple things like:
>>
>> Cookie: SelectedEdition=www; s_sess=[blah]http%
>> 2525253A//
>> screeningroom.blogs.cnn.com/2009/09/08/postcard-from-venice-clooney-loony-strik
>> es/[blah]<http://screeningroom.blogs.cnn.com/2009/09/08/postcard-from-venice-clooney-loony-strik%0Aes/%5Bblah%5D>
>>
>> Would it be possible to change the "SELECT" to "SELECT " or "SELECT%20"?
>> I don't think a space is valid in there, so I assume the cookie would
>> contain "SELECT%20". Do you have an actual attack you can compare this
>> to?
>>
>> Thanks,
>> Frank
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/d369256f/attachment.html

From frank at knobbe.us  Tue Sep  8 21:46:40 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 08 Sep 2009 20:46:40 -0500
Subject: [Emerging-Sigs] TCP/IP 0 window Dos sig attempt
In-Reply-To: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
References: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
Message-ID: <1252460800.55402.219.camel@localhost>

On Wed, 2009-09-09 at 02:03 +0100, Kevin Ross wrote:
> I am unsure of this sig big time for accuracy and false positives.
> However; I still thought I might have a go :) Anyhoo what I have here
> is a window size of 0 (not sure if flags are needed as I guess it
> could be anything) then a large number of them to a single destination
> (though I am unsure how many and how fast the connections can be made
> to exhaust connections).


We tried something like this a year ago when the vulnerability was first
made public. As I recall, it didn't work. But I don't remember if there
was a threshold on it. Why don't you test it for a bit and see how many
FPs you get? :)

-Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/7160e9f1/attachment.bin

From frank at knobbe.us  Tue Sep  8 21:50:04 2009
From: frank at knobbe.us (Frank Knobbe)
Date: Tue, 08 Sep 2009 20:50:04 -0500
Subject: [Emerging-Sigs] 4 SQL Injection Sigs,
 Can Someone Check My PCRE Though
In-Reply-To: <e75cc74a0909081644q19f2d514x50874d7303352b2e@mail.gmail.com>
References: <e75cc74a0908190235j7435e685q1d22ece1fd9bd50c@mail.gmail.com>
	<1252440237.55402.115.camel@localhost>
	<e75cc74a0909081644q19f2d514x50874d7303352b2e@mail.gmail.com>
Message-ID: <1252461004.55402.222.camel@localhost>

On Wed, 2009-09-09 at 00:44 +0100, Kevin Ross wrote:
> Hmmm perhaps a space can go in, I thought %20 was a space in the URI
> though? How often does it false positive? What are other's
> experiences? I haven't had an FPs with this sig personally at home and
> at work with 20,000 users but we don't have any publicly accessible
> web servers. 

It seems that you are running the emerging-web.rules only against your
web servers then. How are you detecting when a compromised workstation
does a setup.php scan to the Internet? Try running the web rules
outbound for a change, and you'll see the FP's quickly :)

And yes, I believe htmlentities is normal for cookies, not just URLs in
GET|POST|HEAD|etc. 

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/4ecb11de/attachment.bin

From jim.mcquaid at gmail.com  Tue Sep  8 21:54:53 2009
From: jim.mcquaid at gmail.com (James McQuaid)
Date: Tue, 8 Sep 2009 21:54:53 -0400
Subject: [Emerging-Sigs] Bela Lugosi is dead
Message-ID: <fe7b01530909081854t78d0dc06m17cd2a800f94c791@mail.gmail.com>

Let us not propose any new licensing models.  It is clear that the
Emerging rules have eclipsed those prepared by Sourcefire; this issue
has been decided and the commercial interests have lost.

The enemy is the malware industry.

James


> Message: 2
> Date: Wed, 9 Sep 2009 01:09:45 +0000
> From: Guise McAllaster <guise.mcallaster at gmail.com>
> Subject: Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> To: Joel Esler <eslerj at gmail.com>
> Cc: Emerging Threats Signatures <emerging-sigs at emergingthreats.net>
> Message-ID:
> ? ? ? ?<ab3c24b60909081809w32b0987eu7b003bba4a06ee42 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Very enlightening, indeed. ?Now I would like to propose an "ET License" that
> is pretty much exactly like a GPL license except that the contents that it
> protects cannot in any way, ever be used by Sourcefire/VRT (for example, to
> make money). ?Of course the real open source community can benefit all she
> wants, especially since it will share the fruits of its labor with others
> and recognize that its product is not simply a product of itself but a
> result of positive collaboration and freedom (as in open source).
>
> Matt, can we institute an ET License so the SF/VRT leeches can't legally
> make money off the hard work of caring and sharing people?
>
> It seems like all this, "VRT just put one out if you want to look at it"
> talk is really is snake oil b/c there really isn't a way to "look at it"
> (and even if you are a VRT subscriber, can you see the plaintext (i.e.
> uncompiled) rule?).
>
> Please post it J, since you have already announced its existence and
> implored us to check it out.
>
> *G*
>

-- 
James McQuaid
http://www.jamesmcquaid.com

From evilghost at packetmail.net  Tue Sep  8 22:01:55 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 21:01:55 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA6A04F.8060607@packetmail.net>	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	<4AA6C760.2060200@jonkmans.com>	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>	<613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>
	<314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>
Message-ID: <4AA70C93.3060601@packetmail.net>

In summary, the VRT license prevents the community from doing anything 
worthwhile with it.  In the context of the ET list, there is no value 
added by VRT having coverage for this issue, the respective announcement 
of this coverage, or analysis of this VRT rule by ET participants with 
access to the VRT ruleset.  Joel, were you inadvertently trying to set 
us up for failure?

IMHO the License agreement is very open-source community friendly.  I 
saw something similar to it once in the form of an prominent OS EULA 
before it was blown away with a GNU/Linux installation.

/1.5. "Modifications" or "Modified" means any alteration, addition to or 
deletion from the substance or structure of the VRT Certified Rules or 
any Modifications of such, including, without limitation, (a) any 
addition to or deletion to the contents of a file containing a VRT 
Certified Rule or a Modification; *(b) any derivative of the VRT 
Certified Rule or of any Modified VRT Certified Rule; or (c) any new 
file that contains any part of the VRT Certified Rule or Modified VRT 
Certified Rule*/

/Licensee agrees that he, she or it *shall* *NOT do any of the following 
without Sourcefire's prior written consent:* (a) Download, use, install, 
deploy, perform, *modify,* license, display, reproduce, distribute or 
*disclose the Rules or Modifications* thereto (even if merged with other 
materials as a Compilation) other than as allowed under a Subscriber 
Permitted Use or a Registered User Permitted Use; (b) sell, license, 
transfer, rent, loan, download, use, install, deploy, perform, modify, 
reproduce, distribute or disclose the Rules or any Modifications thereto 
(in whole or in part and whether done independently or as part of a 
Compilation) for a Commercial Purpose; (c) *post or make generally 
available any Rule or any Modifications thereto (in whole or in part) to 
individuals or a group of individuals who have not agreed to the terms 
and conditions of this Agreement*...

3. Modifications; Derivative Works. *In the event a Licensee creates a 
Modification, the use, reproduction and distribution of such 
Modifications shall be governed by the terms and conditions of this 
Agreement*. A*dditionally, each Licensee hereby grants Sourcefire and 
any other Licensee of the Rules an irrevocable, perpetual, fully 
paid-up, world-wide, royalty-free, non-exclusive license to download, 
use, reproduce, modify, display, perform and distribute such 
Modifications (and the source code thereto), provided, however, that a 
Licensee and any recipient of such Modifications* must include: (a) the 
original copyright notice and all other applicable proprietary legends; 
(b) the original warranty disclaimer; (c) the original notices 
referencing this Agreement and absence of warranties; and (d) a 
prominent notice stating that the Licensee changed the Rule (or any 
Modification thereto) and the date of any change./


Joel Esler wrote:
> On Tue, Sep 8, 2009 at 7:51 PM, Daniel Shepherd 
> <shepdelacreme at gmail.com <mailto:shepdelacreme at gmail.com>> wrote:
>
>     Joel,
>
>     I need some clarification on a few points of the VRT license. You
>     yourself say that "You may discuss the rules and make improvements
>     upon the rules on Snort's lists, you may not, however, post or
>     distribute the rule."
>
>
> I paraphrased.  You'll need to read the license.
> http://www.snort.org/vrt/rules/vrt_license
>
>  
>
>     So from that line we can't discuss the rule on this list since it
>     is not a snort list. Also we cannot distribute or post the
>     rule...so wouldn't that mean that if we look at the rule and make
>     improvements to the ET rule we cannot then post that rule to this
>     list, and ET would not be able to distribute it as part of their
>     rule set because it incorporated ideas from the VRT rule?
>
>
> If you make improvements to the ET rule, you make improvements to the 
> ET rule.  This rule is separate from the VRT.
>
>  
>
>     Not trying to spread FUD just trying to get an idea of how
>     permissive/non-permissive the license is. 
>
>
> Please read the license.
>  
>
>     And lastly I'd like to point out that some of the rules are
>     written as GID:3 rules which essentially makes them closed source,
>     even if they aren't restricted by a contractual agreement. For
>     instance the Conficker rules are GID:3 and the recent BIND DoS
>     rule is GID:3
>
>
> Some rules are written as GID that are non-ms for a reason as well.  A 
> GID 3 rule (Shared Object) is a rule written in the C language, not in 
> Snort rules language.  Because they are written in C they allow the 
> VRT to do extremely complicated things inside of a rule that are not 
> possible in GID:1 rules.  For example, the Conficker rule.  There is 
> some very advanced Floating Point math in that rule.  That type of 
> thing sure can't be done in a GID:1.
>
>  
>
>     My issue with the way SF operates sometimes is that they
>     specifically market themselves as Open Source, when really they
>     are the "most" open of the big IDS engines/rules. I.E. ISS is
>     completely closed so yeah you are more open than them. It seems to
>     me if SF/VRT wanted to truly be open source and community friendly
>     they would release every signature as open source, save for the
>     ones under a contractual agreement (i.e. MS rules). If VRT doesn't
>     want to give their work away then that is also fine, I don't lean
>     one way or another but when you are marketing yourselves as open
>     source then you need to live up to that claim.
>
>
> Some rules can't be done in the normal way, like Confiker, like 
> Trufflehunter, etc.  That's why the SO rule language was developed. 
>  Anyone can write an SO rule, just read the documentation and examples 
> that outline its structure in the Snort manual.  Sourcefire is a 
> complicated company.  Our engine is open source.  Most of our rules 
> are open and readable, but you can't resell them or make them 
> available to anyone else.  The VRT license was created just before I 
> came to Sourcefire, but from what I understand, the license was 
> created because several companies were taking the rules, stripping our 
> copyright out of them and selling them.
>  
>
>     If I'm wrong about those GID3 rules and the source is available
>     somewhere then I apologize but I've never been able to get the source.
>
>
> Some of the GID3 rules source is available, but I am not exactly sure 
> which ones, as I haven't looked in a long time (pulledpork manages my 
> rules for me, saves me all kinds of time in dealing with shared object 
> rules, as it handles all the shared object rules automatically)
>
>  
>
>
>     Dan
>
>     On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:
>
>>     SOME of the rules are written that way because of contractual
>>     agreements with Microsoft under the MAPP program. 
>>     http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>
>>     However, the vast majority of the VRT rules are open for everyone
>>     to read.
>>
>>     You may discuss the rules and make improvements upon the rules on
>>     Snort's lists, you may not, however, post or distribute the rule.
>>
>>     I suggest people A) Check out the License, because clearly there
>>     is misunderstanding and FUD being spread, and B) Check out the
>>     rules to clear up the FUD.  (They are closed, we can't download
>>     them, other misc lies.)
>>
>>     It's not about competition between "community" vs. "Sourcefire"
>>     as some people have tried to make it out to be.  I wish that
>>     would stop.  I discussed this at length in an earlier email.
>>
>>     That being said...  there are no negative content matches in the
>>     VRT rule.
>>
>>     J
>>
>>
>>
>>     On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster
>>     <guise.mcallaster at gmail.com <mailto:guise.mcallaster at gmail.com>>
>>     wrote:
>>
>>         I thought the VRT rules are compiled so you can't see them in
>>         the clear unless you reverse engineer it and reconstruct
>>         them.  Am I wrong?  If so, can some one post it here?  Matt
>>         has a good point about comparing it -- the more info we have
>>         the better.  Sharing and empowerment is what gives the open
>>         source community the strength.  Unless, of course, you aren't
>>         open source and then it is all about competitive advantage
>>         and money, greed, etc.
>>
>>         Guise (a.k.a. G)
>>
>>
>>         On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com
>>         <mailto:eslerj at gmail.com>> wrote:
>>
>>             No, the license would prevent me from posting them.  Not
>>             from you seeing them.  I am sure plenty of people on this
>>             list have a VRT subscription.
>>
>>             No FUD spreading.
>>
>>             J
>>
>>
>>             On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
>>             <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>> wrote:
>>
>>                 :)
>>
>>                 The license would prevent us from doing so. Or even
>>                 seeing them at this
>>                 point.
>>
>>                 If you'd like to post it here so we can compare
>>                 that'd be appreciated.
>>
>>                 Matt
>>
>>                 Joel Esler wrote:
>>                 > FWIW, VRT just put one out if you want to look at
>>                 it.  It's Gid:1.
>>                 >
>>                 > J
>>                 >
>>                 > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
>>                 <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>
>>                 > <mailto:jonkman at jonkmans.com
>>                 <mailto:jonkman at jonkmans.com>>> wrote:
>>                 >
>>                 >     Committed, again all please test. Thanks Jax
>>                 and Christopher!
>>                 >
>>                 >     Matt
>>                 >
>>                 >     Campesi, Christopher wrote:
>>                 >     >  I looked at the results of the sig and it
>>                 hit way more than I
>>                 >     expected,
>>                 >     > sorry about that. I took what Jax replied
>>                 with and used that as
>>                 >     the only
>>                 >     > content match, that resulted in no FPs so
>>                 far, like he said.
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>                 (msg:"Windows7/Vista/2k8
>>                 >     > SMB2.0 DoS
>>                 Exploit";flow:to_server,established;content:"|ff|SMB|72
>>                 >     00 00
>>                 >     > 00 00 18 53 c8 00
>>                 >     >
>>                 >    
>>                 26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>                 <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>                 >    
>>                 <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > -Chris
>>                 >     >
>>                 >     > *From:*
>>                 emerging-sigs-bounces at emergingthreats.net
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net>
>>                 >    
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net>>
>>                 >     >
>>                 [mailto:emerging-sigs-bounces at emergingthreats.net
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net>
>>                 >    
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net
>>                 <mailto:emerging-sigs-bounces at emergingthreats.net>>]
>>                 *On Behalf Of
>>                 >     > *evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>
>>                 <mailto:evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>>
>>                 >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>                 >     > *To:* Matt Jonkman
>>                 >     > *Cc:* Emerging Threats Signatures
>>                 >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0
>>                 DoS Exploit
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>
>>                 <http://10.0.0.0/8>]
>>                 >     > var EXTERNAL_NET any
>>                 >     >
>>                 >     > RFC1918 -> RFC1918
>>                 >     >
>>                 >     > One of many examples, some including
>>                 >     >
>>                 >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>                 10.96.aa.bb.microsoft-ds: Flags
>>                 >     > [P.], ack 361669, win 65145, length 140SMB
>>                 PACKET: SMBtrans (REQUEST)
>>                 >     >
>>                 >     >         0x0000:  4500 00b4 0a44 4000 7f06
>>                 05a4 0ad7 cc08
>>                 >      E....D at .........
>>                 >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>                 e07f 6c12 38b1
>>                 >      .`...m..."..l.8.
>>                 >     >         0x0020:  5018 fe79 ea77 0000 0000
>>                 0088 ff53 4d42
>>                 >      P..y.w.......SMB
>>                 >     >         0x0030:  2500 0000 0018 07c8 0000
>>                 6bd5 793b 77d3
>>                 >      %.........k.y;w.
>>                 >     >         0x0040:  cf73 0000 0178 f80c 02e0
>>                 834c 1000 0034
>>                 >      .s...x.....L...4
>>                 >     >         0x0050:  0000 0000 0400 0000 0000
>>                 0000 0000 0000
>>                 >      ................
>>                 >     >         0x0060:  0054 0034 0054 0002 0026
>>                 000e c045 0000
>>                 >      .T.4.T...&...E..
>>                 >     >         0x0070:  5c00 5000 4900 5000 4500
>>                 5c00 0000 0000
>>                 >      \.P.I.P.E.\.....
>>                 >     >         0x0080:  0500 0003 1000 0000 3400
>>                 0000 0f00 0000
>>                 >      ........4.......
>>                 >     >         0x0090:  1c00 0000 0000 0d00 0000
>>                 0000 7599 3ccc
>>                 >      ............u.<.
>>                 >     >         0x00a0:  43cd 9348 af53 9c56 e124
>>                 4201 ffff ffff
>>                 >      C..H.S.V.$B.....
>>                 >     >         0x00b0:  007d 0000                  
>>                              .}..
>>                 >     >
>>                 >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>                 10.96.aa.bb.microsoft-ds: Flags
>>                 >     > [P.], ack 362044, win 64770, length 132SMB
>>                 PACKET: SMBtrans (REQUEST)
>>                 >     >
>>                 >     >         0x0000:  4500 00ac 0a47 4000 7f06
>>                 05a9 0ad7 cc08
>>                 >      E....G at .........
>>                 >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>                 e1c2 6c12 3a28
>>                 >      .`...m..."..l.:(
>>                 >     >         0x0020:  5018 fd02 0650 0000 0000
>>                 0080 ff53 4d42
>>                 >      P....P.......SMB
>>                 >     >         0x0030:  2500 0000 0018 07c8 0000
>>                 300c 85e5 0f16
>>                 >      %.........0.....
>>                 >     >         0x0040:  a5e5 0000 0178 f80c 02e0
>>                 444d 1000 002c
>>                 >      .....x....DM...,
>>                 >     >         0x0050:  0000 0000 0400 0000 0000
>>                 0000 0000 0000
>>                 >      ................
>>                 >     >         0x0060:  0054 002c 0054 0002 0026
>>                 0002 c03d 0000
>>                 >      .T.,.T...&...=..
>>                 >     >         0x0070:  5c00 5000 4900 5000 4500
>>                 5c00 0000 0000
>>                 >      \.P.I.P.E.\.....
>>                 >     >         0x0080:  0500 0003 1000 0000 2c00
>>                 0000 1000 0000
>>                 >      ........,.......
>>                 >     >         0x0090:  1400 0000 0000 0000 0000
>>                 0000 7599 3ccc
>>                 >      ............u.<.
>>                 >     >         0x00a0:  43cd 9348 af53 9c56 e124
>>                 4201            C..H.S.V.$B.
>>                 >     >
>>                 >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>                 10.96.aa.bb.microsoft-ds: Flags
>>                 >     > [P.], ack 360908, win 64520, length 176SMB
>>                 PACKET: SMBtrans (REQUEST)
>>                 >     >
>>                 >     >         0x0000:  4500 00d8 0a3b 4000 7f06
>>                 0589 0ad7 cc08
>>                 >      E....;@.........
>>                 >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>                 dd36 6c12 35b8
>>                 >      .`...m...".6l.5.
>>                 >     >         0x0020:  5018 fc08 877f 0000 0000
>>                 00ac ff53 4d42
>>                 >      P............SMB
>>                 >     >         0x0030:  2500 0000 0018 07c8 0000
>>                 9f52 3a78 b920
>>                 >      %..........R:x..
>>                 >     >         0x0040:  4608 0000 0178 f80c 02e0
>>                 834a 1000 0058
>>                 >      F....x.....J...X
>>                 >     >         0x0050:  0000 0000 0400 0000 0000
>>                 0000 0000 0000
>>                 >      ................
>>                 >     >         0x0060:  0054 0058 0054 0002 0026
>>                 0009 c069 0000
>>                 >      .T.X.T...&...i..
>>                 >     >         0x0070:  5c00 5000 4900 5000 4500
>>                 5c00 0000 0000
>>                 >      \.P.I.P.E.\.....
>>                 >     >         0x0080:  0500 0003 1000 0000 5800
>>                 0000 0700 0000
>>                 >      ........X.......
>>                 >     >         0x0090:  4000 0000 0000 2c00 b028
>>                 0d00 0a00 0000
>>                 >      @.....,..(......
>>                 >     >         (*SNIPPED*)
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > Matt Jonkman wrote:
>>                 >     >
>>                 >     > Internal to internal? Or external inbound?
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > Matt
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     > evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>
>>                 <mailto:evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>>
>>                 >     <mailto:evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>
>>                 <mailto:evilghost at packetmail.net
>>                 <mailto:evilghost at packetmail.net>>>
>>                 >     wrote:
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >     Falsing heavily here, as in, mapping the
>>                 network.  I can provide
>>                 >     >
>>                 >     >     specifics if necessary.
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >     Matt Jonkman wrote:
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >         Thanks Christopher, posted for
>>                 testing. Please give
>>                 >     feedback. This is an
>>                 >     >
>>                 >     >         ugly problem...
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >         Matt
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >         Campesi, Christopher wrote:
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >             alert tcp $EXTERNAL_NET any ->
>>                 $HOME_NET 445
>>                 >     (msg:"Remote SMB2.0 DoS
>>                 >     >
>>                 >     >
>>                 >    
>>                 Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>                 >     >
>>                 >     >
>>                 >    
>>                 26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>                 <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>                 >    
>>                 <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >            
>>                 http://securityreason.com/exploitalert/7138
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >             -Chris
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >    
>>                 ------------------------------------------------------------------------
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >            
>>                 _______________________________________________
>>                 >     >
>>                 >     >             Emerging-sigs mailing list
>>                 >     >
>>                 >     >             Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>>>
>>                 >     >
>>                 >     >
>>                 >    
>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >    
>>                 _______________________________________________
>>                 >     >
>>                 >     >     Emerging-sigs mailing list
>>                 >     >
>>                 >     >     Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>>>
>>                 >     >
>>                 >     >    
>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >     >
>>                 >
>>                 >     --
>>                 >     --------------------------------------------
>>                 >     Matthew Jonkman
>>                 >     Emerging Threats
>>                 >     Open Information Security Foundation (OISF)
>>                 >     Phone 765-429-0398
>>                 >     Fax 312-264-0205
>>                 >     http://www.emergingthreats.net
>>                 <http://www.emergingthreats.net/>
>>                 >    
>>                 http://www.openinformationsecurityfoundation.org
>>                 <http://www.openinformationsecurityfoundation.org/>
>>                 >     --------------------------------------------
>>                 >
>>                 >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>                 >
>>                 >
>>                 >     _______________________________________________
>>                 >     Emerging-sigs mailing list
>>                 >     Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >     <mailto:Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>>
>>                 >    
>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                 >
>>                 >
>>                 >
>>                 >
>>                 ------------------------------------------------------------------------
>>                 >
>>                 > _______________________________________________
>>                 > Emerging-sigs mailing list
>>                 > Emerging-sigs at emergingthreats.net
>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>                 >
>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>                 --
>>                 --------------------------------------------
>>                 Matthew Jonkman
>>                 Emerging Threats
>>                 Open Information Security Foundation (OISF)
>>                 Phone 765-429-0398
>>                 Fax 312-264-0205
>>                 http://www.emergingthreats.net
>>                 <http://www.emergingthreats.net/>
>>                 http://www.openinformationsecurityfoundation.org
>>                 <http://www.openinformationsecurityfoundation.org/>
>>                 --------------------------------------------
>>
>>                 PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
>>             _______________________________________________
>>             Emerging-sigs mailing list
>>             Emerging-sigs at emergingthreats.net
>>             <mailto:Emerging-sigs at emergingthreats.net>
>>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>
>>     _______________________________________________
>>     Emerging-sigs mailing list
>>     Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/95e24e90/attachment-0001.html

From eslerj at gmail.com  Tue Sep  8 22:08:35 2009
From: eslerj at gmail.com (Joel Esler)
Date: Tue, 8 Sep 2009 22:08:35 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA70C93.3060601@packetmail.net>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>
	<314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>
	<4AA70C93.3060601@packetmail.net>
Message-ID: <314cf0830909081908s744fe0dah70ac94a668125a00@mail.gmail.com>

Evilghost,
I am sorry you feel this way about my comments.  Obviously anyone that has
worked with me in the past knows I am trying to help by protecting your
networks in the best way I can.

No, I was not trying to set you up for failure.  My email, *FWIW* was a FYI
to the people on the list who I KNOW are subscribers.  If one chooses to
subscribe, it is up to them.  I definitely get no kickback if you do.

The license is there to protect Sourcefire's IP from theft.

J

On Tue, Sep 8, 2009 at 10:01 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

>  In summary, the VRT license prevents the community from doing anything
> worthwhile with it.  In the context of the ET list, there is no value added
> by VRT having coverage for this issue, the respective announcement of this
> coverage, or analysis of this VRT rule by ET participants with access to the
> VRT ruleset.  Joel, were you inadvertently trying to set us up for failure?
>
> IMHO the License agreement is very open-source community friendly.  I saw
> something similar to it once in the form of an prominent OS EULA before it
> was blown away with a GNU/Linux installation.
>
> *1.5. "Modifications" or "Modified" means any alteration, addition to or
> deletion from the substance or structure of the VRT Certified Rules or any
> Modifications of such, including, without limitation, (a) any addition to or
> deletion to the contents of a file containing a VRT Certified Rule or a
> Modification; (b) any derivative of the VRT Certified Rule or of any
> Modified VRT Certified Rule; or (c) any new file that contains any part of
> the VRT Certified Rule or Modified VRT Certified Rule*
>
> *Licensee agrees that he, she or it shall NOT do any of the following
> without Sourcefire's prior written consent: (a) Download, use, install,
> deploy, perform, modify, license, display, reproduce, distribute or disclose
> the Rules or Modifications thereto (even if merged with other materials as
> a Compilation) other than as allowed under a Subscriber Permitted Use or a
> Registered User Permitted Use; (b) sell, license, transfer, rent, loan,
> download, use, install, deploy, perform, modify, reproduce, distribute or
> disclose the Rules or any Modifications thereto (in whole or in part and
> whether done independently or as part of a Compilation) for a Commercial
> Purpose; (c) post or make generally available any Rule or any
> Modifications thereto (in whole or in part) to individuals or a group of
> individuals who have not agreed to the terms and conditions of this
> Agreement...
>
> 3. Modifications; Derivative Works. In the event a Licensee creates a
> Modification, the use, reproduction and distribution of such Modifications
> shall be governed by the terms and conditions of this Agreement. Additionally,
> each Licensee hereby grants Sourcefire and any other Licensee of the Rules
> an irrevocable, perpetual, fully paid-up, world-wide, royalty-free,
> non-exclusive license to download, use, reproduce, modify, display, perform
> and distribute such Modifications (and the source code thereto), provided,
> however, that a Licensee and any recipient of such Modifications must
> include: (a) the original copyright notice and all other applicable
> proprietary legends; (b) the original warranty disclaimer; (c) the original
> notices referencing this Agreement and absence of warranties; and (d) a
> prominent notice stating that the Licensee changed the Rule (or any
> Modification thereto) and the date of any change.*
>
>
> Joel Esler wrote:
>
> On Tue, Sep 8, 2009 at 7:51 PM, Daniel Shepherd <shepdelacreme at gmail.com>wrote:
>
>> Joel,
>>  I need some clarification on a few points of the VRT license. You
>> yourself say that "You may discuss the rules and make improvements upon the
>> rules on Snort's lists, you may not, however, post or distribute the rule."
>>
>
>  I paraphrased.  You'll need to read the license.
> http://www.snort.org/vrt/rules/vrt_license
>
>
>
>>  So from that line we can't discuss the rule on this list since it is not
>> a snort list. Also we cannot distribute or post the rule...so wouldn't that
>> mean that if we look at the rule and make improvements to the ET rule we
>> cannot then post that rule to this list, and ET would not be able to
>> distribute it as part of their rule set because it incorporated ideas from
>> the VRT rule?
>>
>
>  If you make improvements to the ET rule, you make improvements to the ET
> rule.  This rule is separate from the VRT.
>
>
>
>>  Not trying to spread FUD just trying to get an idea of how
>> permissive/non-permissive the license is.
>>
>
>  Please read the license.
>
>
>>  And lastly I'd like to point out that some of the rules are written as
>> GID:3 rules which essentially makes them closed source, even if they aren't
>> restricted by a contractual agreement. For instance the Conficker rules are
>> GID:3 and the recent BIND DoS rule is GID:3
>>
>
>  Some rules are written as GID that are non-ms for a reason as well.  A
> GID 3 rule (Shared Object) is a rule written in the C language, not in Snort
> rules language.  Because they are written in C they allow the VRT to do
> extremely complicated things inside of a rule that are not possible in GID:1
> rules.  For example, the Conficker rule.  There is some very advanced
> Floating Point math in that rule.  That type of thing sure can't be done in
> a GID:1.
>
>
>
>>  My issue with the way SF operates sometimes is that they specifically
>> market themselves as Open Source, when really they are the "most" open of
>> the big IDS engines/rules. I.E. ISS is completely closed so yeah you are
>> more open than them. It seems to me if SF/VRT wanted to truly be open source
>> and community friendly they would release every signature as open source,
>> save for the ones under a contractual agreement (i.e. MS rules). If VRT
>> doesn't want to give their work away then that is also fine, I don't lean
>> one way or another but when you are marketing yourselves as open source then
>> you need to live up to that claim.
>>
>
>  Some rules can't be done in the normal way, like Confiker, like
> Trufflehunter, etc.  That's why the SO rule language was developed.  Anyone
> can write an SO rule, just read the documentation and examples that outline
> its structure in the Snort manual.  Sourcefire is a complicated company.
>  Our engine is open source.  Most of our rules are open and readable, but
> you can't resell them or make them available to anyone else.  The VRT
> license was created just before I came to Sourcefire, but from what I
> understand, the license was created because several companies were taking
> the rules, stripping our copyright out of them and selling them.
>
>
>>  If I'm wrong about those GID3 rules and the source is available
>> somewhere then I apologize but I've never been able to get the source.
>>
>
>  Some of the GID3 rules source is available, but I am not exactly sure
> which ones, as I haven't looked in a long time (pulledpork manages my rules
> for me, saves me all kinds of time in dealing with shared object rules, as
> it handles all the shared object rules automatically)
>
>
>
>>
>>  Dan
>>
>>  On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:
>>
>> SOME of the rules are written that way because of contractual agreements
>> with Microsoft under the MAPP program.
>> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>
>>  However, the vast majority of the VRT rules are open for everyone to
>> read.
>>
>>  You may discuss the rules and make improvements upon the rules on
>> Snort's lists, you may not, however, post or distribute the rule.
>>
>>  I suggest people A) Check out the License, because clearly there is
>> misunderstanding and FUD being spread, and B) Check out the rules to clear
>> up the FUD.  (They are closed, we can't download them, other misc lies.)
>>
>>  It's not about competition between "community" vs. "Sourcefire" as some
>> people have tried to make it out to be.  I wish that would stop.  I
>> discussed this at length in an earlier email.
>>
>>  That being said...  there are no negative content matches in the VRT
>> rule.
>>
>>  J
>>
>>
>>
>> On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster <
>> guise.mcallaster at gmail.com> wrote:
>>
>>> I thought the VRT rules are compiled so you can't see them in the clear
>>> unless you reverse engineer it and reconstruct them.  Am I wrong?  If so,
>>> can some one post it here?  Matt has a good point about comparing it -- the
>>> more info we have the better.  Sharing and empowerment is what gives the
>>> open source community the strength.  Unless, of course, you aren't open
>>> source and then it is all about competitive advantage and money, greed, etc.
>>>
>>> Guise (a.k.a. G)
>>>
>>> On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler <eslerj at gmail.com> wrote:
>>>
>>>> No, the license would prevent me from posting them.  Not from you seeing
>>>> them.  I am sure plenty of people on this list have a VRT subscription.
>>>>  No FUD spreading.
>>>>
>>>>  J
>>>>
>>>> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>>>>
>>>>> :)
>>>>>
>>>>> The license would prevent us from doing so. Or even seeing them at this
>>>>> point.
>>>>>
>>>>> If you'd like to post it here so we can compare that'd be appreciated.
>>>>>
>>>>> Matt
>>>>>
>>>>> Joel Esler wrote:
>>>>> > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>>>>> >
>>>>> > J
>>>>> >
>>>>> > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>>>>>  > <mailto:jonkman at jonkmans.com>> wrote:
>>>>> >
>>>>> >     Committed, again all please test. Thanks Jax and Christopher!
>>>>> >
>>>>> >     Matt
>>>>> >
>>>>> >     Campesi, Christopher wrote:
>>>>> >     >  I looked at the results of the sig and it hit way more than I
>>>>> >     expected,
>>>>> >     > sorry about that. I took what Jax replied with and used that as
>>>>> >     the only
>>>>> >     > content match, that resulted in no FPs so far, like he said.
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>> (msg:"Windows7/Vista/2k8
>>>>> >     > SMB2.0 DoS
>>>>> Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>>> >     00 00
>>>>> >     > 00 00 18 53 c8 00
>>>>> >     >
>>>>> >     26|";offset:4;classtype:attempted-dos;reference:url,
>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>  >     <
>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > -Chris
>>>>> >     >
>>>>> >     > *From:* emerging-sigs-bounces at emergingthreats.net
>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>>> >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>>>>> >     <mailto:emerging-sigs-bounces at emergingthreats.net>] *On Behalf
>>>>> Of
>>>>>  >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>> >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>>> >     > *To:* Matt Jonkman
>>>>> >     > *Cc:* Emerging Threats Signatures
>>>>> >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>>  >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>]
>>>>>  >     > var EXTERNAL_NET any
>>>>> >     >
>>>>> >     > RFC1918 -> RFC1918
>>>>> >     >
>>>>> >     > One of many examples, some including
>>>>> >     >
>>>>> >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>>>>> >      E....D at .........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>>>>> >      .`...m..."..l.8.
>>>>> >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>>>>> >      P..y.w.......SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>>>>> >      %.........k.y;w.
>>>>> >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>>>>> >      .s...x.....L...4
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>>>>> >      .T.4.T...&...E..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>>>>> >      ........4.......
>>>>> >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>>>>> >      ............u.<.
>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>>>>> >      C..H.S.V.$B.....
>>>>> >     >         0x00b0:  007d 0000                                .}..
>>>>> >     >
>>>>> >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>>>>> >      E....G at .........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>>>>> >      .`...m..."..l.:(
>>>>> >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>>>>> >      P....P.......SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>>>>> >      %.........0.....
>>>>> >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>>>>> >      .....x....DM...,
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>>>>> >      .T.,.T...&...=..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>>>>> >      ........,.......
>>>>> >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>>>>> >      ............u.<.
>>>>> >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
>>>>>  C..H.S.V.$B.
>>>>> >     >
>>>>> >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>>>> 10.96.aa.bb.microsoft-ds: Flags
>>>>> >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>>>>> (REQUEST)
>>>>> >     >
>>>>> >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>>>>> >      E....;@.........
>>>>> >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>>>>> >      .`...m...".6l.5.
>>>>> >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>>>>> >      P............SMB
>>>>> >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>>>>> >      %..........R:x..
>>>>> >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>>>>> >      F....x.....J...X
>>>>> >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>>>>> >      ................
>>>>> >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>>>>> >      .T.X.T...&...i..
>>>>> >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>>>>> >      \.P.I.P.E.\.....
>>>>> >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>>>>> >      ........X.......
>>>>> >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>>>>> >      @.....,..(......
>>>>> >     >         (*SNIPPED*)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > Matt Jonkman wrote:
>>>>> >     >
>>>>> >     > Internal to internal? Or external inbound?
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > Matt
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>>>>>  >     <mailto:evilghost at packetmail.net <mailto:
>>>>> evilghost at packetmail.net>>
>>>>> >     wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     Falsing heavily here, as in, mapping the network.  I can
>>>>> provide
>>>>> >     >
>>>>> >     >     specifics if necessary.
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     Matt Jonkman wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Thanks Christopher, posted for testing. Please give
>>>>> >     feedback. This is an
>>>>> >     >
>>>>> >     >         ugly problem...
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Matt
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >         Campesi, Christopher wrote:
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>>>>> >     (msg:"Remote SMB2.0 DoS
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>>> >     >
>>>>> >     >
>>>>> >     26|";distance:7;classtype:attempted-dos;reference:url,
>>>>> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>>>  >     <
>>>>> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             http://securityreason.com/exploitalert/7138
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             -Chris
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> ------------------------------------------------------------------------
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >             _______________________________________________
>>>>> >     >
>>>>> >     >             Emerging-sigs mailing list
>>>>> >     >
>>>>> >     >             Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>> >     >
>>>>> >     >
>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >     _______________________________________________
>>>>> >     >
>>>>> >     >     Emerging-sigs mailing list
>>>>> >     >
>>>>> >     >     Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net
>>>>>  >     <mailto:Emerging-sigs at emergingthreats.net>>
>>>>> >     >
>>>>> >     >
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >     >
>>>>> >
>>>>> >     --
>>>>> >     --------------------------------------------
>>>>> >     Matthew Jonkman
>>>>> >     Emerging Threats
>>>>> >     Open Information Security Foundation (OISF)
>>>>> >     Phone 765-429-0398
>>>>> >     Fax 312-264-0205
>>>>> >     http://www.emergingthreats.net
>>>>> >     http://www.openinformationsecurityfoundation.org
>>>>> >     --------------------------------------------
>>>>> >
>>>>> >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>> >
>>>>> >
>>>>> >     _______________________________________________
>>>>> >     Emerging-sigs mailing list
>>>>> >     Emerging-sigs at emergingthreats.net
>>>>> >     <mailto:Emerging-sigs at emergingthreats.net>
>>>>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> ------------------------------------------------------------------------
>>>>> >
>>>>> > _______________________________________________
>>>>> > Emerging-sigs mailing list
>>>>> > Emerging-sigs at emergingthreats.net
>>>>>  > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> --
>>>>> --------------------------------------------
>>>>> Matthew Jonkman
>>>>> Emerging Threats
>>>>> Open Information Security Foundation (OISF)
>>>>> Phone 765-429-0398
>>>>> Fax 312-264-0205
>>>>> http://www.emergingthreats.net
>>>>> http://www.openinformationsecurityfoundation.org
>>>>> --------------------------------------------
>>>>>
>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>>
>>>
>>  _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>
> ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/4b10a242/attachment-0001.html

From evilghost at packetmail.net  Tue Sep  8 22:25:01 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Sep 2009 21:25:01 -0500
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081908s744fe0dah70ac94a668125a00@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	
	<4AA6A7C3.5060206@jonkmans.com>	
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	
	<4AA6C760.2060200@jonkmans.com>	
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>	
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>	
	<613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>	
	<314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>	
	<4AA70C93.3060601@packetmail.net>
	<314cf0830909081908s744fe0dah70ac94a668125a00@mail.gmail.com>
Message-ID: <4AA711FD.4060307@packetmail.net>

Joel, I've no ax to grind against you, so please don't infer so.  I 
understand where you come from, it's your employer who has questionable 
motives.  It's hard for me to believe SourceFire is as community driven 
as they would have us believe while crafting processes and licensing 
agreements that are designed to secure profit from community efforts.  
Remember, SourceFire is standing on the shoulders of the security 
researchers as well...

Speaking of the past, I don't place too much merit in VRT signatures 
which are available the same day a patch is available whilst the ET 
community has had coverage during this lapse.  I'll take the nominal 
performance degradation in favor of coverage.

I'm going to tap out of this thread now that I've expressed my view.  No 
point to continue this debate. :)

-evilghost

Joel Esler wrote:
> Evilghost, 
>
> I am sorry you feel this way about my comments.  Obviously anyone that 
> has worked with me in the past knows I am trying to help by protecting 
> your networks in the best way I can.  
>
> No, I was not trying to set you up for failure.  My email, *FWIW* was 
> a FYI to the people on the list who I KNOW are subscribers.  If one 
> chooses to subscribe, it is up to them.  I definitely get no kickback 
> if you do.
>
> The license is there to protect Sourcefire's IP from theft.  
>
> J
>
> On Tue, Sep 8, 2009 at 10:01 PM, evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net> <evilghost at packetmail.net 
> <mailto:evilghost at packetmail.net>> wrote:
>
>     In summary, the VRT license prevents the community from doing
>     anything worthwhile with it.  In the context of the ET list, there
>     is no value added by VRT having coverage for this issue, the
>     respective announcement of this coverage, or analysis of this VRT
>     rule by ET participants with access to the VRT ruleset.  Joel,
>     were you inadvertently trying to set us up for failure?
>
>     IMHO the License agreement is very open-source community
>     friendly.  I saw something similar to it once in the form of an
>     prominent OS EULA before it was blown away with a GNU/Linux
>     installation.
>
>     /1.5. "Modifications" or "Modified" means any alteration, addition
>     to or deletion from the substance or structure of the VRT
>     Certified Rules or any Modifications of such, including, without
>     limitation, (a) any addition to or deletion to the contents of a
>     file containing a VRT Certified Rule or a Modification; *(b) any
>     derivative of the VRT Certified Rule or of any Modified VRT
>     Certified Rule; or (c) any new file that contains any part of the
>     VRT Certified Rule or Modified VRT Certified Rule*/
>
>     /Licensee agrees that he, she or it *shall* *NOT do any of the
>     following without Sourcefire's prior written consent:* (a)
>     Download, use, install, deploy, perform, *modify,* license,
>     display, reproduce, distribute or *disclose the Rules or
>     Modifications* thereto (even if merged with other materials as a
>     Compilation) other than as allowed under a Subscriber Permitted
>     Use or a Registered User Permitted Use; (b) sell, license,
>     transfer, rent, loan, download, use, install, deploy, perform,
>     modify, reproduce, distribute or disclose the Rules or any
>     Modifications thereto (in whole or in part and whether done
>     independently or as part of a Compilation) for a Commercial
>     Purpose; (c) *post or make generally available any Rule or any
>     Modifications thereto (in whole or in part) to individuals or a
>     group of individuals who have not agreed to the terms and
>     conditions of this Agreement*...
>
>     3. Modifications; Derivative Works. *In the event a Licensee
>     creates a Modification, the use, reproduction and distribution of
>     such Modifications shall be governed by the terms and conditions
>     of this Agreement*. A*dditionally, each Licensee hereby grants
>     Sourcefire and any other Licensee of the Rules an irrevocable,
>     perpetual, fully paid-up, world-wide, royalty-free, non-exclusive
>     license to download, use, reproduce, modify, display, perform and
>     distribute such Modifications (and the source code thereto),
>     provided, however, that a Licensee and any recipient of such
>     Modifications* must include: (a) the original copyright notice and
>     all other applicable proprietary legends; (b) the original
>     warranty disclaimer; (c) the original notices referencing this
>     Agreement and absence of warranties; and (d) a prominent notice
>     stating that the Licensee changed the Rule (or any Modification
>     thereto) and the date of any change./
>
>
>     Joel Esler wrote:
>>     On Tue, Sep 8, 2009 at 7:51 PM, Daniel Shepherd
>>     <shepdelacreme at gmail.com <mailto:shepdelacreme at gmail.com>> wrote:
>>
>>         Joel,
>>
>>         I need some clarification on a few points of the VRT license.
>>         You yourself say that "You may discuss the rules and make
>>         improvements upon the rules on Snort's lists, you may not,
>>         however, post or distribute the rule."
>>
>>
>>     I paraphrased.  You'll need to read the license.
>>     http://www.snort.org/vrt/rules/vrt_license
>>
>>      
>>
>>         So from that line we can't discuss the rule on this list
>>         since it is not a snort list. Also we cannot distribute or
>>         post the rule...so wouldn't that mean that if we look at the
>>         rule and make improvements to the ET rule we cannot then post
>>         that rule to this list, and ET would not be able to
>>         distribute it as part of their rule set because it
>>         incorporated ideas from the VRT rule?
>>
>>
>>     If you make improvements to the ET rule, you make improvements to
>>     the ET rule.  This rule is separate from the VRT.
>>
>>      
>>
>>         Not trying to spread FUD just trying to get an idea of how
>>         permissive/non-permissive the license is. 
>>
>>
>>     Please read the license.
>>      
>>
>>         And lastly I'd like to point out that some of the rules are
>>         written as GID:3 rules which essentially makes them closed
>>         source, even if they aren't restricted by a contractual
>>         agreement. For instance the Conficker rules are GID:3 and the
>>         recent BIND DoS rule is GID:3
>>
>>
>>     Some rules are written as GID that are non-ms for a reason as
>>     well.  A GID 3 rule (Shared Object) is a rule written in the C
>>     language, not in Snort rules language.  Because they are written
>>     in C they allow the VRT to do extremely complicated things inside
>>     of a rule that are not possible in GID:1 rules.  For example, the
>>     Conficker rule.  There is some very advanced Floating Point math
>>     in that rule.  That type of thing sure can't be done in a GID:1.
>>
>>      
>>
>>         My issue with the way SF operates sometimes is that they
>>         specifically market themselves as Open Source, when really
>>         they are the "most" open of the big IDS engines/rules. I.E.
>>         ISS is completely closed so yeah you are more open than them.
>>         It seems to me if SF/VRT wanted to truly be open source and
>>         community friendly they would release every signature as open
>>         source, save for the ones under a contractual agreement (i.e.
>>         MS rules). If VRT doesn't want to give their work away then
>>         that is also fine, I don't lean one way or another but when
>>         you are marketing yourselves as open source then you need to
>>         live up to that claim.
>>
>>
>>     Some rules can't be done in the normal way, like Confiker, like
>>     Trufflehunter, etc.  That's why the SO rule language was
>>     developed.  Anyone can write an SO rule, just read the
>>     documentation and examples that outline its structure in the
>>     Snort manual.  Sourcefire is a complicated company.  Our engine
>>     is open source.  Most of our rules are open and readable, but you
>>     can't resell them or make them available to anyone else.  The VRT
>>     license was created just before I came to Sourcefire, but from
>>     what I understand, the license was created because several
>>     companies were taking the rules, stripping our copyright out of
>>     them and selling them.
>>      
>>
>>         If I'm wrong about those GID3 rules and the source is
>>         available somewhere then I apologize but I've never been able
>>         to get the source.
>>
>>
>>     Some of the GID3 rules source is available, but I am not exactly
>>     sure which ones, as I haven't looked in a long time (pulledpork
>>     manages my rules for me, saves me all kinds of time in dealing
>>     with shared object rules, as it handles all the shared object
>>     rules automatically)
>>
>>      
>>
>>
>>         Dan
>>
>>         On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:
>>
>>>         SOME of the rules are written that way because of
>>>         contractual agreements with Microsoft under the MAPP program. 
>>>         http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>>
>>>         However, the vast majority of the VRT rules are open for
>>>         everyone to read.
>>>
>>>         You may discuss the rules and make improvements upon the
>>>         rules on Snort's lists, you may not, however, post or
>>>         distribute the rule.
>>>
>>>         I suggest people A) Check out the License, because clearly
>>>         there is misunderstanding and FUD being spread, and B) Check
>>>         out the rules to clear up the FUD.  (They are closed, we
>>>         can't download them, other misc lies.)
>>>
>>>         It's not about competition between "community" vs.
>>>         "Sourcefire" as some people have tried to make it out to be.
>>>          I wish that would stop.  I discussed this at length in an
>>>         earlier email.
>>>
>>>         That being said...  there are no negative content matches in
>>>         the VRT rule.
>>>
>>>         J
>>>
>>>
>>>
>>>         On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster
>>>         <guise.mcallaster at gmail.com
>>>         <mailto:guise.mcallaster at gmail.com>> wrote:
>>>
>>>             I thought the VRT rules are compiled so you can't see
>>>             them in the clear unless you reverse engineer it and
>>>             reconstruct them.  Am I wrong?  If so, can some one post
>>>             it here?  Matt has a good point about comparing it --
>>>             the more info we have the better.  Sharing and
>>>             empowerment is what gives the open source community the
>>>             strength.  Unless, of course, you aren't open source and
>>>             then it is all about competitive advantage and money,
>>>             greed, etc.
>>>
>>>             Guise (a.k.a. G)
>>>
>>>
>>>             On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler
>>>             <eslerj at gmail.com <mailto:eslerj at gmail.com>> wrote:
>>>
>>>                 No, the license would prevent me from posting them.
>>>                  Not from you seeing them.  I am sure plenty of
>>>                 people on this list have a VRT subscription.
>>>
>>>                 No FUD spreading.
>>>
>>>                 J
>>>
>>>
>>>                 On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
>>>                 <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>
>>>                 wrote:
>>>
>>>                     :)
>>>
>>>                     The license would prevent us from doing so. Or
>>>                     even seeing them at this
>>>                     point.
>>>
>>>                     If you'd like to post it here so we can compare
>>>                     that'd be appreciated.
>>>
>>>                     Matt
>>>
>>>                     Joel Esler wrote:
>>>                     > FWIW, VRT just put one out if you want to look
>>>                     at it.  It's Gid:1.
>>>                     >
>>>                     > J
>>>                     >
>>>                     > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
>>>                     <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>
>>>                     > <mailto:jonkman at jonkmans.com
>>>                     <mailto:jonkman at jonkmans.com>>> wrote:
>>>                     >
>>>                     >     Committed, again all please test. Thanks
>>>                     Jax and Christopher!
>>>                     >
>>>                     >     Matt
>>>                     >
>>>                     >     Campesi, Christopher wrote:
>>>                     >     >  I looked at the results of the sig and
>>>                     it hit way more than I
>>>                     >     expected,
>>>                     >     > sorry about that. I took what Jax
>>>                     replied with and used that as
>>>                     >     the only
>>>                     >     > content match, that resulted in no FPs
>>>                     so far, like he said.
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > alert tcp $EXTERNAL_NET any -> $HOME_NET
>>>                     445 (msg:"Windows7/Vista/2k8
>>>                     >     > SMB2.0 DoS
>>>                     Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>                     >     00 00
>>>                     >     > 00 00 18 53 c8 00
>>>                     >     >
>>>                     >    
>>>                     26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>>                     >    
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > -Chris
>>>                     >     >
>>>                     >     > *From:*
>>>                     emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>                     >    
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>>
>>>                     >     >
>>>                     [mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>                     >    
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>>]
>>>                     *On Behalf Of
>>>                     >     > *evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>
>>>                     >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>                     >     > *To:* Matt Jonkman
>>>                     >     > *Cc:* Emerging Threats Signatures
>>>                     >     > *Subject:* Re: [Emerging-Sigs] Remote
>>>                     SMB 2.0 DoS Exploit
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > var HOME_NET [10.0.0.0/8
>>>                     <http://10.0.0.0/8> <http://10.0.0.0/8>]
>>>                     >     > var EXTERNAL_NET any
>>>                     >     >
>>>                     >     > RFC1918 -> RFC1918
>>>                     >     >
>>>                     >     > One of many examples, some including
>>>                     >     >
>>>                     >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 361669, win 65145, length
>>>                     140SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00b4 0a44 4000
>>>                     7f06 05a4 0ad7 cc08
>>>                     >      E....D at .........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd
>>>                     e822 e07f 6c12 38b1
>>>                     >      .`...m..."..l.8.
>>>                     >     >         0x0020:  5018 fe79 ea77 0000
>>>                     0000 0088 ff53 4d42
>>>                     >      P..y.w.......SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8
>>>                     0000 6bd5 793b 77d3
>>>                     >      %.........k.y;w.
>>>                     >     >         0x0040:  cf73 0000 0178 f80c
>>>                     02e0 834c 1000 0034
>>>                     >      .s...x.....L...4
>>>                     >     >         0x0050:  0000 0000 0400 0000
>>>                     0000 0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 0034 0054 0002
>>>                     0026 000e c045 0000
>>>                     >      .T.4.T...&...E..
>>>                     >     >         0x0070:  5c00 5000 4900 5000
>>>                     4500 5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000
>>>                     3400 0000 0f00 0000
>>>                     >      ........4.......
>>>                     >     >         0x0090:  1c00 0000 0000 0d00
>>>                     0000 0000 7599 3ccc
>>>                     >      ............u.<.
>>>                     >     >         0x00a0:  43cd 9348 af53 9c56
>>>                     e124 4201 ffff ffff
>>>                     >      C..H.S.V.$B.....
>>>                     >     >         0x00b0:  007d 0000              
>>>                                      .}..
>>>                     >     >
>>>                     >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 362044, win 64770, length
>>>                     132SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00ac 0a47 4000
>>>                     7f06 05a9 0ad7 cc08
>>>                     >      E....G at .........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd
>>>                     e822 e1c2 6c12 3a28
>>>                     >      .`...m..."..l.:(
>>>                     >     >         0x0020:  5018 fd02 0650 0000
>>>                     0000 0080 ff53 4d42
>>>                     >      P....P.......SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8
>>>                     0000 300c 85e5 0f16
>>>                     >      %.........0.....
>>>                     >     >         0x0040:  a5e5 0000 0178 f80c
>>>                     02e0 444d 1000 002c
>>>                     >      .....x....DM...,
>>>                     >     >         0x0050:  0000 0000 0400 0000
>>>                     0000 0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 002c 0054 0002
>>>                     0026 0002 c03d 0000
>>>                     >      .T.,.T...&...=..
>>>                     >     >         0x0070:  5c00 5000 4900 5000
>>>                     4500 5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000
>>>                     2c00 0000 1000 0000
>>>                     >      ........,.......
>>>                     >     >         0x0090:  1400 0000 0000 0000
>>>                     0000 0000 7599 3ccc
>>>                     >      ............u.<.
>>>                     >     >         0x00a0:  43cd 9348 af53 9c56
>>>                     e124 4201            C..H.S.V.$B.
>>>                     >     >
>>>                     >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 360908, win 64520, length
>>>                     176SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00d8 0a3b 4000
>>>                     7f06 0589 0ad7 cc08
>>>                     >      E....;@.........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd
>>>                     e822 dd36 6c12 35b8
>>>                     >      .`...m...".6l.5.
>>>                     >     >         0x0020:  5018 fc08 877f 0000
>>>                     0000 00ac ff53 4d42
>>>                     >      P............SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8
>>>                     0000 9f52 3a78 b920
>>>                     >      %..........R:x..
>>>                     >     >         0x0040:  4608 0000 0178 f80c
>>>                     02e0 834a 1000 0058
>>>                     >      F....x.....J...X
>>>                     >     >         0x0050:  0000 0000 0400 0000
>>>                     0000 0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 0058 0054 0002
>>>                     0026 0009 c069 0000
>>>                     >      .T.X.T...&...i..
>>>                     >     >         0x0070:  5c00 5000 4900 5000
>>>                     4500 5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000
>>>                     5800 0000 0700 0000
>>>                     >      ........X.......
>>>                     >     >         0x0090:  4000 0000 0000 2c00
>>>                     b028 0d00 0a00 0000
>>>                     >      @.....,..(......
>>>                     >     >         (*SNIPPED*)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > Matt Jonkman wrote:
>>>                     >     >
>>>                     >     > Internal to internal? Or external inbound?
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > Matt
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>
>>>                     >     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>>
>>>                     >     wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >     Falsing heavily here, as in, mapping
>>>                     the network.  I can provide
>>>                     >     >
>>>                     >     >     specifics if necessary.
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >     Matt Jonkman wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Thanks Christopher, posted for
>>>                     testing. Please give
>>>                     >     feedback. This is an
>>>                     >     >
>>>                     >     >         ugly problem...
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Matt
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Campesi, Christopher wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >             alert tcp $EXTERNAL_NET any
>>>                     -> $HOME_NET 445
>>>                     >     (msg:"Remote SMB2.0 DoS
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>>                     >    
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >            
>>>                     http://securityreason.com/exploitalert/7138
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >             -Chris
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     ------------------------------------------------------------------------
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >            
>>>                     _______________________________________________
>>>                     >     >
>>>                     >     >             Emerging-sigs mailing list
>>>                     >     >
>>>                     >     >            
>>>                     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>>
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >    
>>>                     _______________________________________________
>>>                     >     >
>>>                     >     >     Emerging-sigs mailing list
>>>                     >     >
>>>                     >     >     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>>
>>>                     >     >
>>>                     >     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >
>>>                     >     --
>>>                     >     --------------------------------------------
>>>                     >     Matthew Jonkman
>>>                     >     Emerging Threats
>>>                     >     Open Information Security Foundation (OISF)
>>>                     >     Phone 765-429-0398
>>>                     >     Fax 312-264-0205
>>>                     >     http://www.emergingthreats.net
>>>                     <http://www.emergingthreats.net/>
>>>                     >    
>>>                     http://www.openinformationsecurityfoundation.org
>>>                     <http://www.openinformationsecurityfoundation.org/>
>>>                     >     --------------------------------------------
>>>                     >
>>>                     >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>                     >
>>>                     >
>>>                     >    
>>>                     _______________________________________________
>>>                     >     Emerging-sigs mailing list
>>>                     >     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >
>>>                     >
>>>                     >
>>>                     >
>>>                     ------------------------------------------------------------------------
>>>                     >
>>>                     > _______________________________________________
>>>                     > Emerging-sigs mailing list
>>>                     > Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>                     --
>>>                     --------------------------------------------
>>>                     Matthew Jonkman
>>>                     Emerging Threats
>>>                     Open Information Security Foundation (OISF)
>>>                     Phone 765-429-0398
>>>                     Fax 312-264-0205
>>>                     http://www.emergingthreats.net
>>>                     <http://www.emergingthreats.net/>
>>>                     http://www.openinformationsecurityfoundation.org
>>>                     <http://www.openinformationsecurityfoundation.org/>
>>>                     --------------------------------------------
>>>
>>>                     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>>>                 _______________________________________________
>>>                 Emerging-sigs mailing list
>>>                 Emerging-sigs at emergingthreats.net
>>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Emerging-sigs mailing list
>>>         Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>     ------------------------------------------------------------------------
>>     _______________________________________________ Emerging-sigs
>>     mailing list Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090908/3d80faa3/attachment-0001.html

From kevross33 at googlemail.com  Tue Sep  8 22:30:11 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Wed, 9 Sep 2009 03:30:11 +0100
Subject: [Emerging-Sigs] TCP/IP 0 window Dos sig attempt
In-Reply-To: <1252460800.55402.219.camel@localhost>
References: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
	<1252460800.55402.219.camel@localhost>
Message-ID: <e75cc74a0909081930of164e55n1dcb9d3b8b782ef6@mail.gmail.com>

I will give it a try. tbh I don't think there is a way to actually match it
as a definite thing. Like write a rule which says this is definately a
TCP/IP DOS. It is just to general and also probably legit.

2009/9/9 Frank Knobbe <frank at knobbe.us>

> On Wed, 2009-09-09 at 02:03 +0100, Kevin Ross wrote:
> > I am unsure of this sig big time for accuracy and false positives.
> > However; I still thought I might have a go :) Anyhoo what I have here
> > is a window size of 0 (not sure if flags are needed as I guess it
> > could be anything) then a large number of them to a single destination
> > (though I am unsure how many and how fast the connections can be made
> > to exhaust connections).
>
>
> We tried something like this a year ago when the vulnerability was first
> made public. As I recall, it didn't work. But I don't remember if there
> was a threshold on it. Why don't you test it for a bit and see how many
> FPs you get? :)
>
> -Frank
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090909/a2922804/attachment.html

From jonkman at jonkmans.com  Wed Sep  9 07:09:33 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 09 Sep 2009 07:09:33 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	
	<4AA68604.7090009@jonkmans.com> <4AA68A81.40302@packetmail.net>	
	<4AA698A1.1050104@jonkmans.com> <4AA6A04F.8060607@packetmail.net>	
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>	
	<4AA6A7C3.5060206@jonkmans.com>	
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
Message-ID: <4AA78CED.4080807@jonkmans.com>

Didn't mean to let my comment become a bash SF thread. Although
officially that is the only target of bashing allowed on the ET lists... :)

My point was that asking us to look at the VRT sig to compare is
illegal. We cannot look at the VRT rules while we do our own development
lest we be sued for copyright infringement, even though our public
development started prior to any public discussion SF made available.

I fully understand why SF has the license it does on the VRT ruleset.
VRT is not open source, nor free for the world. It's a ruleset that's
highly tested and built at a cost in man hours that SF intends to
recoup. Thats business, that's perfectly fair.

I don't subscribe nor use VRT very often so as not to be accused of
copyright infringement in the work we do at ET. I don't see them nor
develop based on them.

I realize you were probably trying to help, or point out that VRT had a
rule as well Joel. But we can't look at them, share them, compare to
them, or develop based on them. So thanks, but we can't. Don't want to
blow all of our support money fighting the legal team of a multi-million
dollar company. :)

Matt


Joel Esler wrote:
> No, the license would prevent me from posting them.  Not from you seeing
> them.  I am sure plenty of people on this list have a VRT subscription.
> 
> No FUD spreading.
> 
> J
> 
> On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     :)
> 
>     The license would prevent us from doing so. Or even seeing them at this
>     point.
> 
>     If you'd like to post it here so we can compare that'd be appreciated.
> 
>     Matt
> 
>     Joel Esler wrote:
>     > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
>     >
>     > J
>     >
>     > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
>     <mailto:jonkman at jonkmans.com>
>     > <mailto:jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>> wrote:
>     >
>     >     Committed, again all please test. Thanks Jax and Christopher!
>     >
>     >     Matt
>     >
>     >     Campesi, Christopher wrote:
>     >     >  I looked at the results of the sig and it hit way more than I
>     >     expected,
>     >     > sorry about that. I took what Jax replied with and used that as
>     >     the only
>     >     > content match, that resulted in no FPs so far, like he said.
>     >     >
>     >     >
>     >     >
>     >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>     (msg:"Windows7/Vista/2k8
>     >     > SMB2.0 DoS
>     Exploit";flow:to_server,established;content:"|ff|SMB|72
>     >     00 00
>     >     > 00 00 18 53 c8 00
>     >     >
>     >    
>     26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>     >    
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>     >     >
>     >     >
>     >     >
>     >     > -Chris
>     >     >
>     >     > *From:* emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>
>     >     <mailto:emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>>
>     >     > [mailto:emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>
>     >     <mailto:emerging-sigs-bounces at emergingthreats.net
>     <mailto:emerging-sigs-bounces at emergingthreats.net>>] *On Behalf Of
>     >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
>     >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>     >     > *To:* Matt Jonkman
>     >     > *Cc:* Emerging Threats Signatures
>     >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
>     >     >
>     >     >
>     >     >
>     >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>
>     <http://10.0.0.0/8>]
>     >     > var EXTERNAL_NET any
>     >     >
>     >     > RFC1918 -> RFC1918
>     >     >
>     >     > One of many examples, some including
>     >     >
>     >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>     10.96.aa.bb.microsoft-ds: Flags
>     >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
>     (REQUEST)
>     >     >
>     >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
>     >      E....D at .........
>     >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
>     >      .`...m..."..l.8.
>     >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
>     >      P..y.w.......SMB
>     >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
>     >      %.........k.y;w.
>     >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
>     >      .s...x.....L...4
>     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>     >      ................
>     >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
>     >      .T.4.T...&...E..
>     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>     >      \.P.I.P.E.\.....
>     >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
>     >      ........4.......
>     >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
>     >      ............u.<.
>     >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
>     >      C..H.S.V.$B.....
>     >     >         0x00b0:  007d 0000                                .}..
>     >     >
>     >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>     10.96.aa.bb.microsoft-ds: Flags
>     >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
>     (REQUEST)
>     >     >
>     >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
>     >      E....G at .........
>     >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
>     >      .`...m..."..l.:(
>     >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
>     >      P....P.......SMB
>     >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
>     >      %.........0.....
>     >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
>     >      .....x....DM...,
>     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>     >      ................
>     >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
>     >      .T.,.T...&...=..
>     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>     >      \.P.I.P.E.\.....
>     >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
>     >      ........,.......
>     >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
>     >      ............u.<.
>     >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201          
>      C..H.S.V.$B.
>     >     >
>     >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>     10.96.aa.bb.microsoft-ds: Flags
>     >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
>     (REQUEST)
>     >     >
>     >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
>     >      E....;@.........
>     >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
>     >      .`...m...".6l.5.
>     >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
>     >      P............SMB
>     >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
>     >      %..........R:x..
>     >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
>     >      F....x.....J...X
>     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
>     >      ................
>     >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
>     >      .T.X.T...&...i..
>     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
>     >      \.P.I.P.E.\.....
>     >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
>     >      ........X.......
>     >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
>     >      @.....,..(......
>     >     >         (*SNIPPED*)
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > Matt Jonkman wrote:
>     >     >
>     >     > Internal to internal? Or external inbound?
>     >     >
>     >     >
>     >     >
>     >     > Matt
>     >     >
>     >     >
>     >     >
>     >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
>     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
>     >     <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net> <mailto:evilghost at packetmail.net
>     <mailto:evilghost at packetmail.net>>>
>     >     wrote:
>     >     >
>     >     >
>     >     >
>     >     >     Falsing heavily here, as in, mapping the network.  I can
>     provide
>     >     >
>     >     >     specifics if necessary.
>     >     >
>     >     >
>     >     >
>     >     >     Matt Jonkman wrote:
>     >     >
>     >     >
>     >     >
>     >     >         Thanks Christopher, posted for testing. Please give
>     >     feedback. This is an
>     >     >
>     >     >         ugly problem...
>     >     >
>     >     >
>     >     >
>     >     >         Matt
>     >     >
>     >     >
>     >     >
>     >     >         Campesi, Christopher wrote:
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
>     >     (msg:"Remote SMB2.0 DoS
>     >     >
>     >     >
>     >    
>     Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>     >     >
>     >     >
>     >    
>     26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>     >    
>     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >             http://securityreason.com/exploitalert/7138
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >             -Chris
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >    
>     ------------------------------------------------------------------------
>     >     >
>     >     >
>     >     >
>     >     >             _______________________________________________
>     >     >
>     >     >             Emerging-sigs mailing list
>     >     >
>     >     >             Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>>
>     >     >
>     >     >
>     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >
>     >     >     Emerging-sigs mailing list
>     >     >
>     >     >     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>>
>     >     >
>     >     >    
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >
>     >     --
>     >     --------------------------------------------
>     >     Matthew Jonkman
>     >     Emerging Threats
>     >     Open Information Security Foundation (OISF)
>     >     Phone 765-429-0398
>     >     Fax 312-264-0205
>     >     http://www.emergingthreats.net
>     >     http://www.openinformationsecurityfoundation.org
>     >     --------------------------------------------
>     >
>     >     PGP: http://www.jonkmans.com/mattjonkman.asc
>     >
>     >
>     >     _______________________________________________
>     >     Emerging-sigs mailing list
>     >     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Emerging-sigs mailing list
>     > Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Open Information Security Foundation (OISF)
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     http://www.openinformationsecurityfoundation.org
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed Sep  9 07:11:48 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 09 Sep 2009 07:11:48 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081908s744fe0dah70ac94a668125a00@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	<4AA6C760.2060200@jonkmans.com>	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>	<613F6F31-F3B6-4A0A-A5A9-6337960C9786@gmail.com>	<314cf0830909081802h19bb2a0jcb51d5a2d83b686b@mail.gmail.com>	<4AA70C93.3060601@packetmail.net>
	<314cf0830909081908s744fe0dah70ac94a668125a00@mail.gmail.com>
Message-ID: <4AA78D74.1020907@jonkmans.com>

Joel Esler wrote:
> I am sorry you feel this way about my comments.  Obviously anyone that
> has worked with me in the past knows I am trying to help by protecting
> your networks in the best way I can.  

I'd vouch for Joel generally wanting to do the right thing.

> 
> No, I was not trying to set you up for failure.  My email, *FWIW* was a
> FYI to the people on the list who I KNOW are subscribers.  If one
> chooses to subscribe, it is up to them.  I definitely get no kickback if
> you do.

I know you didn't intend, but if we look at the VRT sig to make our sig
we're clearly guilty of copyright infringment if we learn something from
the VRT sig and incorporate it into our sig. I think kthat was his point.

> 
> The license is there to protect Sourcefire's IP from theft.  
> 

Yup. And that's fair. (Just don't call it open :) )

Matt

> J
> 
> On Tue, Sep 8, 2009 at 10:01 PM, evilghost at packetmail.net
> <mailto:evilghost at packetmail.net> <evilghost at packetmail.net
> <mailto:evilghost at packetmail.net>> wrote:
> 
>     In summary, the VRT license prevents the community from doing
>     anything worthwhile with it.  In the context of the ET list, there
>     is no value added by VRT having coverage for this issue, the
>     respective announcement of this coverage, or analysis of this VRT
>     rule by ET participants with access to the VRT ruleset.  Joel, were
>     you inadvertently trying to set us up for failure?
> 
>     IMHO the License agreement is very open-source community friendly. 
>     I saw something similar to it once in the form of an prominent OS
>     EULA before it was blown away with a GNU/Linux installation.
> 
>     /1.5. "Modifications" or "Modified" means any alteration, addition
>     to or deletion from the substance or structure of the VRT Certified
>     Rules or any Modifications of such, including, without limitation,
>     (a) any addition to or deletion to the contents of a file containing
>     a VRT Certified Rule or a Modification; *(b) any derivative of the
>     VRT Certified Rule or of any Modified VRT Certified Rule; or (c) any
>     new file that contains any part of the VRT Certified Rule or
>     Modified VRT Certified Rule*/
> 
>     /Licensee agrees that he, she or it *shall* *NOT do any of the
>     following without Sourcefire's prior written consent:* (a) Download,
>     use, install, deploy, perform, *modify,* license, display,
>     reproduce, distribute or *disclose the Rules or Modifications*
>     thereto (even if merged with other materials as a Compilation) other
>     than as allowed under a Subscriber Permitted Use or a Registered
>     User Permitted Use; (b) sell, license, transfer, rent, loan,
>     download, use, install, deploy, perform, modify, reproduce,
>     distribute or disclose the Rules or any Modifications thereto (in
>     whole or in part and whether done independently or as part of a
>     Compilation) for a Commercial Purpose; (c) *post or make generally
>     available any Rule or any Modifications thereto (in whole or in
>     part) to individuals or a group of individuals who have not agreed
>     to the terms and conditions of this Agreement*...
> 
>     3. Modifications; Derivative Works. *In the event a Licensee creates
>     a Modification, the use, reproduction and distribution of such
>     Modifications shall be governed by the terms and conditions of this
>     Agreement*. A*dditionally, each Licensee hereby grants Sourcefire
>     and any other Licensee of the Rules an irrevocable, perpetual, fully
>     paid-up, world-wide, royalty-free, non-exclusive license to
>     download, use, reproduce, modify, display, perform and distribute
>     such Modifications (and the source code thereto), provided, however,
>     that a Licensee and any recipient of such Modifications* must
>     include: (a) the original copyright notice and all other applicable
>     proprietary legends; (b) the original warranty disclaimer; (c) the
>     original notices referencing this Agreement and absence of
>     warranties; and (d) a prominent notice stating that the Licensee
>     changed the Rule (or any Modification thereto) and the date of any
>     change./
> 
> 
>     Joel Esler wrote:
>>     On Tue, Sep 8, 2009 at 7:51 PM, Daniel Shepherd
>>     <shepdelacreme at gmail.com <mailto:shepdelacreme at gmail.com>> wrote:
>>
>>         Joel,
>>
>>         I need some clarification on a few points of the VRT license.
>>         You yourself say that "You may discuss the rules and make
>>         improvements upon the rules on Snort's lists, you may not,
>>         however, post or distribute the rule."
>>
>>
>>     I paraphrased.  You'll need to read the license.
>>     http://www.snort.org/vrt/rules/vrt_license
>>
>>      
>>
>>         So from that line we can't discuss the rule on this list since
>>         it is not a snort list. Also we cannot distribute or post the
>>         rule...so wouldn't that mean that if we look at the rule and
>>         make improvements to the ET rule we cannot then post that rule
>>         to this list, and ET would not be able to distribute it as
>>         part of their rule set because it incorporated ideas from the
>>         VRT rule?
>>
>>
>>     If you make improvements to the ET rule, you make improvements to
>>     the ET rule.  This rule is separate from the VRT.
>>
>>      
>>
>>         Not trying to spread FUD just trying to get an idea of how
>>         permissive/non-permissive the license is. 
>>
>>
>>     Please read the license.
>>      
>>
>>         And lastly I'd like to point out that some of the rules are
>>         written as GID:3 rules which essentially makes them closed
>>         source, even if they aren't restricted by a contractual
>>         agreement. For instance the Conficker rules are GID:3 and the
>>         recent BIND DoS rule is GID:3
>>
>>
>>     Some rules are written as GID that are non-ms for a reason as
>>     well.  A GID 3 rule (Shared Object) is a rule written in the C
>>     language, not in Snort rules language.  Because they are written
>>     in C they allow the VRT to do extremely complicated things inside
>>     of a rule that are not possible in GID:1 rules.  For example, the
>>     Conficker rule.  There is some very advanced Floating Point math
>>     in that rule.  That type of thing sure can't be done in a GID:1.
>>
>>      
>>
>>         My issue with the way SF operates sometimes is that they
>>         specifically market themselves as Open Source, when really
>>         they are the "most" open of the big IDS engines/rules. I.E.
>>         ISS is completely closed so yeah you are more open than them.
>>         It seems to me if SF/VRT wanted to truly be open source and
>>         community friendly they would release every signature as open
>>         source, save for the ones under a contractual agreement (i.e.
>>         MS rules). If VRT doesn't want to give their work away then
>>         that is also fine, I don't lean one way or another but when
>>         you are marketing yourselves as open source then you need to
>>         live up to that claim.
>>
>>
>>     Some rules can't be done in the normal way, like Confiker, like
>>     Trufflehunter, etc.  That's why the SO rule language was
>>     developed.  Anyone can write an SO rule, just read the
>>     documentation and examples that outline its structure in the Snort
>>     manual.  Sourcefire is a complicated company.  Our engine is open
>>     source.  Most of our rules are open and readable, but you can't
>>     resell them or make them available to anyone else.  The VRT
>>     license was created just before I came to Sourcefire, but from
>>     what I understand, the license was created because several
>>     companies were taking the rules, stripping our copyright out of
>>     them and selling them.
>>      
>>
>>         If I'm wrong about those GID3 rules and the source is
>>         available somewhere then I apologize but I've never been able
>>         to get the source.
>>
>>
>>     Some of the GID3 rules source is available, but I am not exactly
>>     sure which ones, as I haven't looked in a long time (pulledpork
>>     manages my rules for me, saves me all kinds of time in dealing
>>     with shared object rules, as it handles all the shared object
>>     rules automatically)
>>
>>      
>>
>>
>>         Dan
>>
>>         On Sep 8, 2009, at 7:13 PM, Joel Esler wrote:
>>
>>>         SOME of the rules are written that way because of contractual
>>>         agreements with Microsoft under the MAPP program. 
>>>         http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>>
>>>         However, the vast majority of the VRT rules are open for
>>>         everyone to read.
>>>
>>>         You may discuss the rules and make improvements upon the
>>>         rules on Snort's lists, you may not, however, post or
>>>         distribute the rule.
>>>
>>>         I suggest people A) Check out the License, because clearly
>>>         there is misunderstanding and FUD being spread, and B) Check
>>>         out the rules to clear up the FUD.  (They are closed, we
>>>         can't download them, other misc lies.)
>>>
>>>         It's not about competition between "community" vs.
>>>         "Sourcefire" as some people have tried to make it out to be.
>>>          I wish that would stop.  I discussed this at length in an
>>>         earlier email.
>>>
>>>         That being said...  there are no negative content matches in
>>>         the VRT rule.
>>>
>>>         J
>>>
>>>
>>>
>>>         On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster
>>>         <guise.mcallaster at gmail.com
>>>         <mailto:guise.mcallaster at gmail.com>> wrote:
>>>
>>>             I thought the VRT rules are compiled so you can't see
>>>             them in the clear unless you reverse engineer it and
>>>             reconstruct them.  Am I wrong?  If so, can some one post
>>>             it here?  Matt has a good point about comparing it -- the
>>>             more info we have the better.  Sharing and empowerment is
>>>             what gives the open source community the strength. 
>>>             Unless, of course, you aren't open source and then it is
>>>             all about competitive advantage and money, greed, etc.
>>>
>>>             Guise (a.k.a. G)
>>>
>>>
>>>             On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler
>>>             <eslerj at gmail.com <mailto:eslerj at gmail.com>> wrote:
>>>
>>>                 No, the license would prevent me from posting them.
>>>                  Not from you seeing them.  I am sure plenty of
>>>                 people on this list have a VRT subscription.
>>>
>>>                 No FUD spreading.
>>>
>>>                 J
>>>
>>>
>>>                 On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
>>>                 <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>
>>>                 wrote:
>>>
>>>                     :)
>>>
>>>                     The license would prevent us from doing so. Or
>>>                     even seeing them at this
>>>                     point.
>>>
>>>                     If you'd like to post it here so we can compare
>>>                     that'd be appreciated.
>>>
>>>                     Matt
>>>
>>>                     Joel Esler wrote:
>>>                     > FWIW, VRT just put one out if you want to look
>>>                     at it.  It's Gid:1.
>>>                     >
>>>                     > J
>>>                     >
>>>                     > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
>>>                     <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>
>>>                     > <mailto:jonkman at jonkmans.com
>>>                     <mailto:jonkman at jonkmans.com>>> wrote:
>>>                     >
>>>                     >     Committed, again all please test. Thanks
>>>                     Jax and Christopher!
>>>                     >
>>>                     >     Matt
>>>                     >
>>>                     >     Campesi, Christopher wrote:
>>>                     >     >  I looked at the results of the sig and
>>>                     it hit way more than I
>>>                     >     expected,
>>>                     >     > sorry about that. I took what Jax replied
>>>                     with and used that as
>>>                     >     the only
>>>                     >     > content match, that resulted in no FPs so
>>>                     far, like he said.
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > alert tcp $EXTERNAL_NET any -> $HOME_NET
>>>                     445 (msg:"Windows7/Vista/2k8
>>>                     >     > SMB2.0 DoS
>>>                     Exploit";flow:to_server,established;content:"|ff|SMB|72
>>>                     >     00 00
>>>                     >     > 00 00 18 53 c8 00
>>>                     >     >
>>>                     >    
>>>                     26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>>                     >    
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > -Chris
>>>                     >     >
>>>                     >     > *From:*
>>>                     emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>                     >    
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>>
>>>                     >     >
>>>                     [mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>
>>>                     >    
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net
>>>                     <mailto:emerging-sigs-bounces at emergingthreats.net>>]
>>>                     *On Behalf Of
>>>                     >     > *evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>
>>>                     >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
>>>                     >     > *To:* Matt Jonkman
>>>                     >     > *Cc:* Emerging Threats Signatures
>>>                     >     > *Subject:* Re: [Emerging-Sigs] Remote SMB
>>>                     2.0 DoS Exploit
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > var HOME_NET [10.0.0.0/8
>>>                     <http://10.0.0.0/8> <http://10.0.0.0/8>]
>>>                     >     > var EXTERNAL_NET any
>>>                     >     >
>>>                     >     > RFC1918 -> RFC1918
>>>                     >     >
>>>                     >     > One of many examples, some including
>>>                     >     >
>>>                     >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 361669, win 65145, length
>>>                     140SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00b4 0a44 4000 7f06
>>>                     05a4 0ad7 cc08
>>>                     >      E....D at .........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>>                     e07f 6c12 38b1
>>>                     >      .`...m..."..l.8.
>>>                     >     >         0x0020:  5018 fe79 ea77 0000 0000
>>>                     0088 ff53 4d42
>>>                     >      P..y.w.......SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8 0000
>>>                     6bd5 793b 77d3
>>>                     >      %.........k.y;w.
>>>                     >     >         0x0040:  cf73 0000 0178 f80c 02e0
>>>                     834c 1000 0034
>>>                     >      .s...x.....L...4
>>>                     >     >         0x0050:  0000 0000 0400 0000 0000
>>>                     0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 0034 0054 0002 0026
>>>                     000e c045 0000
>>>                     >      .T.4.T...&...E..
>>>                     >     >         0x0070:  5c00 5000 4900 5000 4500
>>>                     5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000 3400
>>>                     0000 0f00 0000
>>>                     >      ........4.......
>>>                     >     >         0x0090:  1c00 0000 0000 0d00 0000
>>>                     0000 7599 3ccc
>>>                     >      ............u.<.
>>>                     >     >         0x00a0:  43cd 9348 af53 9c56 e124
>>>                     4201 ffff ffff
>>>                     >      C..H.S.V.$B.....
>>>                     >     >         0x00b0:  007d 0000              
>>>                                      .}..
>>>                     >     >
>>>                     >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 362044, win 64770, length
>>>                     132SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00ac 0a47 4000 7f06
>>>                     05a9 0ad7 cc08
>>>                     >      E....G at .........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>>                     e1c2 6c12 3a28
>>>                     >      .`...m..."..l.:(
>>>                     >     >         0x0020:  5018 fd02 0650 0000 0000
>>>                     0080 ff53 4d42
>>>                     >      P....P.......SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8 0000
>>>                     300c 85e5 0f16
>>>                     >      %.........0.....
>>>                     >     >         0x0040:  a5e5 0000 0178 f80c 02e0
>>>                     444d 1000 002c
>>>                     >      .....x....DM...,
>>>                     >     >         0x0050:  0000 0000 0400 0000 0000
>>>                     0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 002c 0054 0002 0026
>>>                     0002 c03d 0000
>>>                     >      .T.,.T...&...=..
>>>                     >     >         0x0070:  5c00 5000 4900 5000 4500
>>>                     5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000 2c00
>>>                     0000 1000 0000
>>>                     >      ........,.......
>>>                     >     >         0x0090:  1400 0000 0000 0000 0000
>>>                     0000 7599 3ccc
>>>                     >      ............u.<.
>>>                     >     >         0x00a0:  43cd 9348 af53 9c56 e124
>>>                     4201            C..H.S.V.$B.
>>>                     >     >
>>>                     >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>>                     10.96.aa.bb.microsoft-ds: Flags
>>>                     >     > [P.], ack 360908, win 64520, length
>>>                     176SMB PACKET: SMBtrans (REQUEST)
>>>                     >     >
>>>                     >     >         0x0000:  4500 00d8 0a3b 4000 7f06
>>>                     0589 0ad7 cc08
>>>                     >      E....;@.........
>>>                     >     >         0x0010:  0a60 0a1d 106d 01bd e822
>>>                     dd36 6c12 35b8
>>>                     >      .`...m...".6l.5.
>>>                     >     >         0x0020:  5018 fc08 877f 0000 0000
>>>                     00ac ff53 4d42
>>>                     >      P............SMB
>>>                     >     >         0x0030:  2500 0000 0018 07c8 0000
>>>                     9f52 3a78 b920
>>>                     >      %..........R:x..
>>>                     >     >         0x0040:  4608 0000 0178 f80c 02e0
>>>                     834a 1000 0058
>>>                     >      F....x.....J...X
>>>                     >     >         0x0050:  0000 0000 0400 0000 0000
>>>                     0000 0000 0000
>>>                     >      ................
>>>                     >     >         0x0060:  0054 0058 0054 0002 0026
>>>                     0009 c069 0000
>>>                     >      .T.X.T...&...i..
>>>                     >     >         0x0070:  5c00 5000 4900 5000 4500
>>>                     5c00 0000 0000
>>>                     >      \.P.I.P.E.\.....
>>>                     >     >         0x0080:  0500 0003 1000 0000 5800
>>>                     0000 0700 0000
>>>                     >      ........X.......
>>>                     >     >         0x0090:  4000 0000 0000 2c00 b028
>>>                     0d00 0a00 0000
>>>                     >      @.....,..(......
>>>                     >     >         (*SNIPPED*)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > Matt Jonkman wrote:
>>>                     >     >
>>>                     >     > Internal to internal? Or external inbound?
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > Matt
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     > evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>
>>>                     >     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>
>>>                     <mailto:evilghost at packetmail.net
>>>                     <mailto:evilghost at packetmail.net>>>
>>>                     >     wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >     Falsing heavily here, as in, mapping
>>>                     the network.  I can provide
>>>                     >     >
>>>                     >     >     specifics if necessary.
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >     Matt Jonkman wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Thanks Christopher, posted for
>>>                     testing. Please give
>>>                     >     feedback. This is an
>>>                     >     >
>>>                     >     >         ugly problem...
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Matt
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >         Campesi, Christopher wrote:
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >             alert tcp $EXTERNAL_NET any
>>>                     -> $HOME_NET 445
>>>                     >     (msg:"Remote SMB2.0 DoS
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>>                     >    
>>>                     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >            
>>>                     http://securityreason.com/exploitalert/7138
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >             -Chris
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     ------------------------------------------------------------------------
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >            
>>>                     _______________________________________________
>>>                     >     >
>>>                     >     >             Emerging-sigs mailing list
>>>                     >     >
>>>                     >     >            
>>>                     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>>
>>>                     >     >
>>>                     >     >
>>>                     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >    
>>>                     _______________________________________________
>>>                     >     >
>>>                     >     >     Emerging-sigs mailing list
>>>                     >     >
>>>                     >     >     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>>
>>>                     >     >
>>>                     >     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >
>>>                     >     --
>>>                     >     --------------------------------------------
>>>                     >     Matthew Jonkman
>>>                     >     Emerging Threats
>>>                     >     Open Information Security Foundation (OISF)
>>>                     >     Phone 765-429-0398
>>>                     >     Fax 312-264-0205
>>>                     >     http://www.emergingthreats.net
>>>                     <http://www.emergingthreats.net/>
>>>                     >    
>>>                     http://www.openinformationsecurityfoundation.org
>>>                     <http://www.openinformationsecurityfoundation.org/>
>>>                     >     --------------------------------------------
>>>                     >
>>>                     >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>                     >
>>>                     >
>>>                     >     _______________________________________________
>>>                     >     Emerging-sigs mailing list
>>>                     >     Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >     <mailto:Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>>
>>>                     >    
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>                     >
>>>                     >
>>>                     >
>>>                     >
>>>                     ------------------------------------------------------------------------
>>>                     >
>>>                     > _______________________________________________
>>>                     > Emerging-sigs mailing list
>>>                     > Emerging-sigs at emergingthreats.net
>>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>>                     >
>>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>                     --
>>>                     --------------------------------------------
>>>                     Matthew Jonkman
>>>                     Emerging Threats
>>>                     Open Information Security Foundation (OISF)
>>>                     Phone 765-429-0398
>>>                     Fax 312-264-0205
>>>                     http://www.emergingthreats.net
>>>                     <http://www.emergingthreats.net/>
>>>                     http://www.openinformationsecurityfoundation.org
>>>                     <http://www.openinformationsecurityfoundation.org/>
>>>                     --------------------------------------------
>>>
>>>                     PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>>>                 _______________________________________________
>>>                 Emerging-sigs mailing list
>>>                 Emerging-sigs at emergingthreats.net
>>>                 <mailto:Emerging-sigs at emergingthreats.net>
>>>                 http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Emerging-sigs mailing list
>>>         Emerging-sigs at emergingthreats.net
>>>         <mailto:Emerging-sigs at emergingthreats.net>
>>>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>     ------------------------------------------------------------------------
>>     _______________________________________________ Emerging-sigs
>>     mailing list Emerging-sigs at emergingthreats.net
>>     <mailto:Emerging-sigs at emergingthreats.net>
>>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed Sep  9 07:28:58 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 09 Sep 2009 07:28:58 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <314cf0830909081826u165a0fddk48366c79eb8b8042@mail.gmail.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>	<4AA6A7C3.5060206@jonkmans.com>	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>	<4AA6C760.2060200@jonkmans.com>	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>	<4AA6EC5A.7040705@packetmail.net>	<314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>	<ab3c24b60909081809w32b0987eu7b003bba4a06ee42@mail.gmail.com>
	<314cf0830909081826u165a0fddk48366c79eb8b8042@mail.gmail.com>
Message-ID: <4AA7917A.3090509@jonkmans.com>

Joel Esler wrote:
> I think the ET license is currently BSD based.

Yup. Do with it as you please, we (the community) wrote all of it. We
get to use it.

Just if you resell them send me a t-shirt or something for the
administrative effort. :)

> 
>  
> 
>     Matt, can we institute an ET License so the SF/VRT leeches can't
>     legally make money off the hard work of caring and sharing people?
> 
> 
> This is one of the reasons that the OSSRC was founded years ago, to
> coordinate the movement of ET/BS rules into Snort's official sets,
> however, some of the people managing this project have left their jobs
> leaving it limbo.  This is a project that I hope to take up in the
> future and reestablish.
> 

It was actually founded to avoid duplication in the rulesets (I proposed
founded it with jennifer steffens back in the day. Now that girl could
run a community relations program!), but that was pre-VRT I believe.
Once SF went VRT and licensed it as such the OSSRC was no longer of use.

Long long ago (in the first year we did this) we had hoped to use ET to
feed rules into the SF GPL ruleset and the early VRT ruleset. SF
unfortunately ignored us or bashed the work being done as crap. Then VRT
came about a few years later which prevented ET from pushing our rules
to the SF ruleset because of 1) copyright assignment and 2) the
community would have thrown a sh*t-fit over their free work being resold
via VRT for a profit. Plus OSSRC was completely neglected by the SF
folks that took on tasks. It fell out of use and was dropped officially
by ET (then Bleeding Snort) years ago.

The OSSRC is in it's original form and goal is useless as no one wants
to funnel rules into VRT (legally or by preference). We no longer have a
need to avoid duplication as the ET ruleset is there to serve not only
VRT subscribers, but also non-subscribers. So we go for coverage of
critical issues even if VRT has or may in the future release a sig.
Actually we go for whatever anyone wants to write a reasonable sig for.
Which will be 100% of important issues.

Only thing I could see would be using the OSSRC to publish a list of
sigs that have very similar function (not calling one more effective
than the other necessarily) allowing the user to automate dropping one
sig to avoid duplication of processing. I don't know how much need there
is for such a thing though. But I'm willing to go at it if SF follows
through this time.

Side thought: SF ought to consider a royalty sharing program for
community sigs. Take in good ones from authors willing to assign
copyright and offer a percentage of royalties each year. If an author
contributes (in round numbers) 2 sigs into a 10,000 sig ruleset they'd
gain 2/10,000's of the gross revenue as long as the sig as in the
ruleset. Prorated of course the first year.

>  
> 
>     It seems like all this, "VRT just put one out if you want to look at
>     it" talk is really is snake oil b/c there really isn't a way to
>     "look at it" (and even if you are a VRT subscriber, can you see the
>     plaintext (i.e. uncompiled) rule?).
> 
> 
> Yes.  Except for some of the SO rules (as previously discussed), you can
> look at every rule that is in the VRT set the same as you would the ET
> rules.  Who do you think made the rule language up?  

But in 30 days is his point. We can't look at them now. (nor should we,
to avoid IP lawsuits)


> 
>  
> 
>     Please post it J, since you have already announced its existence and
>     implored us to check it out.
> 
> 
> I legally cannot.  I'd like to keep my job. :)


:)

Matt

> 
>  
> 
> 
>     *G*
> 
> 
>     On Wed, Sep 9, 2009 at 12:48 AM, Joel Esler <eslerj at gmail.com
>     <mailto:eslerj at gmail.com>> wrote:
> 
>         On Tue, Sep 8, 2009 at 7:44 PM, evilghost at packetmail.net
>         <mailto:evilghost at packetmail.net> <evilghost at packetmail.net
>         <mailto:evilghost at packetmail.net>> wrote:
> 
>             Thanks Joel for clearing this up.  Where can I get a copy of
>             this rule so that, as a community, improvements can be made?  
> 
>          
>         The rule is available in the subscriber set until the 30 days is
>         expired.
> 
>          
> 
>             Since these rules are centered around a subscription model
>             is there a community-centric subscription where improvements
>             can be made (as suggested)?  
> 
> 
>         I believe the license states that if improvements are made to
>         the VRT ruleset then the rights belong to Sourcefire.  The VRT
>         ruleset is not a GPL license.
> 
>          
> 
>             For example, should improvements be made to this rule, as a
>             derivative from the VRT rule, would I be eligible for
>             compensation or are the benefits of community efforts only
>             one-sided and beneficial to SourceFire? 
> 
> 
>         The benefits are, if you make improvements to the rule, they are
>         submitted to VRT, where they are throughly tested against
>         millions upon millions of types of traffic and data.  Then they
>         are redistributed to the community through the VRT subscription.
>          
> 
>             I'm guessing I can't get a copy of this rule unless I wait
>             30+ days or start throwing cash at SourceFire?
> 
> 
>         Correct.
>          
> 
>             I'm certainly not trying to insult you on a personal level
>             but tell me how I can download the VRT rule for analysis? 
>             Ya'll (SourceFire) spin this "community" stuff but honestly
>             my back is hurting from these "community" friendly companies
>             standing on my shoulders while rifling through my pockets.
> 
> 
>         We aren't charging you for using Snort, I don't see how we are
>         rifling through your pockets?
> 
>          
> 
>             IMHO the "VRT has this" was spam, likely that wasn't the
>             intent, but all it did was advertise VRT and create
>             questions around licensing conditions.  
> 
> 
>         Exactly why I said "FWIW" in the beginning of the rule.  As I
>         said, there are plenty of people that have the subscription on
>         this list, and they can benefit from the 29 bucks we charge for
>         a single license.
> 
>          
> 
>             Rather than pointing us to a snipe-hunt in a
>             subscription-based licensed model I'd find more value in
>             actual content :)
> 
> 
>         Sorry you feel that way.  The license prohibits me from
>         disclosing the rule.  As I previously stated.
> 
>          
> 
> 
>             -evilghost
> 
> 
>             Joel Esler wrote:
>>             SOME of the rules are written that way because of
>>             contractual agreements with Microsoft under the MAPP
>>             program. 
>>             http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
>>
>>             However, the vast majority of the VRT rules are open for
>>             everyone to read.
>>
>>             You may discuss the rules and make improvements upon the
>>             rules on Snort's lists, you may not, however, post or
>>             distribute the rule.
>>
>>             I suggest people A) Check out the License, because clearly
>>             there is misunderstanding and FUD being spread, and B)
>>             Check out the rules to clear up the FUD.  (They are
>>             closed, we can't download them, other misc lies.)
>>
>>             It's not about competition between "community" vs.
>>             "Sourcefire" as some people have tried to make it out to
>>             be.  I wish that would stop.  I discussed this at length
>>             in an earlier email.
>>
>>             That being said...  there are no negative content matches
>>             in the VRT rule.
>>
>>             J
>>
>>
>>
>>             On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster
>>             <guise.mcallaster at gmail.com
>>             <mailto:guise.mcallaster at gmail.com>> wrote:
>>
>>                 I thought the VRT rules are compiled so you can't see
>>                 them in the clear unless you reverse engineer it and
>>                 reconstruct them.  Am I wrong?  If so, can some one
>>                 post it here?  Matt has a good point about comparing
>>                 it -- the more info we have the better.  Sharing and
>>                 empowerment is what gives the open source community
>>                 the strength.  Unless, of course, you aren't open
>>                 source and then it is all about competitive advantage
>>                 and money, greed, etc.
>>
>>                 Guise (a.k.a. G)
>>
>>
>>                 On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler
>>                 <eslerj at gmail.com <mailto:eslerj at gmail.com>> wrote:
>>
>>                     No, the license would prevent me from posting
>>                     them.  Not from you seeing them.  I am sure plenty
>>                     of people on this list have a VRT subscription.
>>
>>                     No FUD spreading.
>>
>>                     J
>>
>>
>>                     On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
>>                     <jonkman at jonkmans.com
>>                     <mailto:jonkman at jonkmans.com>> wrote:
>>
>>                         :)
>>
>>                         The license would prevent us from doing so. Or
>>                         even seeing them at this
>>                         point.
>>
>>                         If you'd like to post it here so we can
>>                         compare that'd be appreciated.
>>
>>                         Matt
>>
>>                         Joel Esler wrote:
>>                         > FWIW, VRT just put one out if you want to
>>                         look at it.  It's Gid:1.
>>                         >
>>                         > J
>>                         >
>>                         > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
>>                         <jonkman at jonkmans.com
>>                         <mailto:jonkman at jonkmans.com>
>>                         > <mailto:jonkman at jonkmans.com
>>                         <mailto:jonkman at jonkmans.com>>> wrote:
>>                         >
>>                         >     Committed, again all please test. Thanks
>>                         Jax and Christopher!
>>                         >
>>                         >     Matt
>>                         >
>>                         >     Campesi, Christopher wrote:
>>                         >     >  I looked at the results of the sig
>>                         and it hit way more than I
>>                         >     expected,
>>                         >     > sorry about that. I took what Jax
>>                         replied with and used that as
>>                         >     the only
>>                         >     > content match, that resulted in no FPs
>>                         so far, like he said.
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > alert tcp $EXTERNAL_NET any ->
>>                         $HOME_NET 445 (msg:"Windows7/Vista/2k8
>>                         >     > SMB2.0 DoS
>>                         Exploit";flow:to_server,established;content:"|ff|SMB|72
>>                         >     00 00
>>                         >     > 00 00 18 53 c8 00
>>                         >     >
>>                         >    
>>                         26|";offset:4;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>                         <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>                         >    
>>                         <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > -Chris
>>                         >     >
>>                         >     > *From:*
>>                         emerging-sigs-bounces at emergingthreats.net
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net>
>>                         >    
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net>>
>>                         >     >
>>                         [mailto:emerging-sigs-bounces at emergingthreats.net
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net>
>>                         >    
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net
>>                         <mailto:emerging-sigs-bounces at emergingthreats.net>>]
>>                         *On Behalf Of
>>                         >     > *evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>
>>                         <mailto:evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>>
>>                         >     > *Sent:* Tuesday, September 08, 2009
>>                         2:20 PM
>>                         >     > *To:* Matt Jonkman
>>                         >     > *Cc:* Emerging Threats Signatures
>>                         >     > *Subject:* Re: [Emerging-Sigs] Remote
>>                         SMB 2.0 DoS Exploit
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > var HOME_NET [10.0.0.0/8
>>                         <http://10.0.0.0/8> <http://10.0.0.0/8>]
>>                         >     > var EXTERNAL_NET any
>>                         >     >
>>                         >     > RFC1918 -> RFC1918
>>                         >     >
>>                         >     > One of many examples, some including
>>                         >     >
>>                         >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
>>                         10.96.aa.bb.microsoft-ds: Flags
>>                         >     > [P.], ack 361669, win 65145, length
>>                         140SMB PACKET: SMBtrans (REQUEST)
>>                         >     >
>>                         >     >         0x0000:  4500 00b4 0a44 4000
>>                         7f06 05a4 0ad7 cc08
>>                         >      E....D at .........
>>                         >     >         0x0010:  0a60 0a1d 106d 01bd
>>                         e822 e07f 6c12 38b1
>>                         >      .`...m..."..l.8.
>>                         >     >         0x0020:  5018 fe79 ea77 0000
>>                         0000 0088 ff53 4d42
>>                         >      P..y.w.......SMB
>>                         >     >         0x0030:  2500 0000 0018 07c8
>>                         0000 6bd5 793b 77d3
>>                         >      %.........k.y;w.
>>                         >     >         0x0040:  cf73 0000 0178 f80c
>>                         02e0 834c 1000 0034
>>                         >      .s...x.....L...4
>>                         >     >         0x0050:  0000 0000 0400 0000
>>                         0000 0000 0000 0000
>>                         >      ................
>>                         >     >         0x0060:  0054 0034 0054 0002
>>                         0026 000e c045 0000
>>                         >      .T.4.T...&...E..
>>                         >     >         0x0070:  5c00 5000 4900 5000
>>                         4500 5c00 0000 0000
>>                         >      \.P.I.P.E.\.....
>>                         >     >         0x0080:  0500 0003 1000 0000
>>                         3400 0000 0f00 0000
>>                         >      ........4.......
>>                         >     >         0x0090:  1c00 0000 0000 0d00
>>                         0000 0000 7599 3ccc
>>                         >      ............u.<.
>>                         >     >         0x00a0:  43cd 9348 af53 9c56
>>                         e124 4201 ffff ffff
>>                         >      C..H.S.V.$B.....
>>                         >     >         0x00b0:  007d 0000            
>>                                            .}..
>>                         >     >
>>                         >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
>>                         10.96.aa.bb.microsoft-ds: Flags
>>                         >     > [P.], ack 362044, win 64770, length
>>                         132SMB PACKET: SMBtrans (REQUEST)
>>                         >     >
>>                         >     >         0x0000:  4500 00ac 0a47 4000
>>                         7f06 05a9 0ad7 cc08
>>                         >      E....G at .........
>>                         >     >         0x0010:  0a60 0a1d 106d 01bd
>>                         e822 e1c2 6c12 3a28
>>                         >      .`...m..."..l.:(
>>                         >     >         0x0020:  5018 fd02 0650 0000
>>                         0000 0080 ff53 4d42
>>                         >      P....P.......SMB
>>                         >     >         0x0030:  2500 0000 0018 07c8
>>                         0000 300c 85e5 0f16
>>                         >      %.........0.....
>>                         >     >         0x0040:  a5e5 0000 0178 f80c
>>                         02e0 444d 1000 002c
>>                         >      .....x....DM...,
>>                         >     >         0x0050:  0000 0000 0400 0000
>>                         0000 0000 0000 0000
>>                         >      ................
>>                         >     >         0x0060:  0054 002c 0054 0002
>>                         0026 0002 c03d 0000
>>                         >      .T.,.T...&...=..
>>                         >     >         0x0070:  5c00 5000 4900 5000
>>                         4500 5c00 0000 0000
>>                         >      \.P.I.P.E.\.....
>>                         >     >         0x0080:  0500 0003 1000 0000
>>                         2c00 0000 1000 0000
>>                         >      ........,.......
>>                         >     >         0x0090:  1400 0000 0000 0000
>>                         0000 0000 7599 3ccc
>>                         >      ............u.<.
>>                         >     >         0x00a0:  43cd 9348 af53 9c56
>>                         e124 4201            C..H.S.V.$B.
>>                         >     >
>>                         >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
>>                         10.96.aa.bb.microsoft-ds: Flags
>>                         >     > [P.], ack 360908, win 64520, length
>>                         176SMB PACKET: SMBtrans (REQUEST)
>>                         >     >
>>                         >     >         0x0000:  4500 00d8 0a3b 4000
>>                         7f06 0589 0ad7 cc08
>>                         >      E....;@.........
>>                         >     >         0x0010:  0a60 0a1d 106d 01bd
>>                         e822 dd36 6c12 35b8
>>                         >      .`...m...".6l.5.
>>                         >     >         0x0020:  5018 fc08 877f 0000
>>                         0000 00ac ff53 4d42
>>                         >      P............SMB
>>                         >     >         0x0030:  2500 0000 0018 07c8
>>                         0000 9f52 3a78 b920
>>                         >      %..........R:x..
>>                         >     >         0x0040:  4608 0000 0178 f80c
>>                         02e0 834a 1000 0058
>>                         >      F....x.....J...X
>>                         >     >         0x0050:  0000 0000 0400 0000
>>                         0000 0000 0000 0000
>>                         >      ................
>>                         >     >         0x0060:  0054 0058 0054 0002
>>                         0026 0009 c069 0000
>>                         >      .T.X.T...&...i..
>>                         >     >         0x0070:  5c00 5000 4900 5000
>>                         4500 5c00 0000 0000
>>                         >      \.P.I.P.E.\.....
>>                         >     >         0x0080:  0500 0003 1000 0000
>>                         5800 0000 0700 0000
>>                         >      ........X.......
>>                         >     >         0x0090:  4000 0000 0000 2c00
>>                         b028 0d00 0a00 0000
>>                         >      @.....,..(......
>>                         >     >         (*SNIPPED*)
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > Matt Jonkman wrote:
>>                         >     >
>>                         >     > Internal to internal? Or external inbound?
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > Matt
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     > evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>
>>                         <mailto:evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>>
>>                         >     <mailto:evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>
>>                         <mailto:evilghost at packetmail.net
>>                         <mailto:evilghost at packetmail.net>>>
>>                         >     wrote:
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >     Falsing heavily here, as in,
>>                         mapping the network.  I can provide
>>                         >     >
>>                         >     >     specifics if necessary.
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >     Matt Jonkman wrote:
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >         Thanks Christopher, posted for
>>                         testing. Please give
>>                         >     feedback. This is an
>>                         >     >
>>                         >     >         ugly problem...
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >         Matt
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >         Campesi, Christopher wrote:
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >             alert tcp $EXTERNAL_NET
>>                         any -> $HOME_NET 445
>>                         >     (msg:"Remote SMB2.0 DoS
>>                         >     >
>>                         >     >
>>                         >    
>>                         Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
>>                         >     >
>>                         >     >
>>                         >    
>>                         26|";distance:7;classtype:attempted-dos;reference:url,securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
>>                         <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
>>                         >    
>>                         <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >            
>>                         http://securityreason.com/exploitalert/7138
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >             -Chris
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >    
>>                         ------------------------------------------------------------------------
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >            
>>                         _______________________________________________
>>                         >     >
>>                         >     >             Emerging-sigs mailing list
>>                         >     >
>>                         >     >            
>>                         Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>>>
>>                         >     >
>>                         >     >
>>                         >    
>>                         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >    
>>                         _______________________________________________
>>                         >     >
>>                         >     >     Emerging-sigs mailing list
>>                         >     >
>>                         >     >     Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>>>
>>                         >     >
>>                         >     >    
>>                         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >     >
>>                         >
>>                         >     --
>>                         >     --------------------------------------------
>>                         >     Matthew Jonkman
>>                         >     Emerging Threats
>>                         >     Open Information Security Foundation (OISF)
>>                         >     Phone 765-429-0398
>>                         >     Fax 312-264-0205
>>                         >     http://www.emergingthreats.net
>>                         >    
>>                         http://www.openinformationsecurityfoundation.org
>>                         >     --------------------------------------------
>>                         >
>>                         >     PGP: http://www.jonkmans.com/mattjonkman.asc
>>                         >
>>                         >
>>                         >    
>>                         _______________________________________________
>>                         >     Emerging-sigs mailing list
>>                         >     Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >    
>>                         <mailto:Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>>
>>                         >    
>>                         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>                         >
>>                         >
>>                         >
>>                         >
>>                         ------------------------------------------------------------------------
>>                         >
>>                         > _______________________________________________
>>                         > Emerging-sigs mailing list
>>                         > Emerging-sigs at emergingthreats.net
>>                         <mailto:Emerging-sigs at emergingthreats.net>
>>                         >
>>                         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>                         --
>>                         --------------------------------------------
>>                         Matthew Jonkman
>>                         Emerging Threats
>>                         Open Information Security Foundation (OISF)
>>                         Phone 765-429-0398
>>                         Fax 312-264-0205
>>                         http://www.emergingthreats.net
>>                         http://www.openinformationsecurityfoundation.org
>>                         --------------------------------------------
>>
>>                         PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
>>                     _______________________________________________
>>                     Emerging-sigs mailing list
>>                     Emerging-sigs at emergingthreats.net
>>                     <mailto:Emerging-sigs at emergingthreats.net>
>>                     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>
>>             ------------------------------------------------------------------------
>>             _______________________________________________
>>             Emerging-sigs mailing list
>>             Emerging-sigs at emergingthreats.net
>>             <mailto:Emerging-sigs at emergingthreats.net>
>>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> 
>             _______________________________________________
>             Emerging-sigs mailing list
>             Emerging-sigs at emergingthreats.net
>             <mailto:Emerging-sigs at emergingthreats.net>
>             http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
>         _______________________________________________
>         Emerging-sigs mailing list
>         Emerging-sigs at emergingthreats.net
>         <mailto:Emerging-sigs at emergingthreats.net>
>         http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From jonkman at jonkmans.com  Wed Sep  9 07:52:38 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Wed, 09 Sep 2009 07:52:38 -0400
Subject: [Emerging-Sigs] TCP/IP 0 window Dos sig attempt
In-Reply-To: <1252460800.55402.219.camel@localhost>
References: <e75cc74a0909081803m1b2456acmdc57852708599488@mail.gmail.com>
	<1252460800.55402.219.camel@localhost>
Message-ID: <4AA79706.1000701@jonkmans.com>

Going from faded memory, I think we found that on even well built
networks there are MANY packets that fit this sig. Network-aware
hardware devices with crappy stacks, overworked windows file server, etc.

I believe we did threshold it and still had massive FPs.

But please test and let me know how it runs now.

Matt

Frank Knobbe wrote:
> On Wed, 2009-09-09 at 02:03 +0100, Kevin Ross wrote:
>> I am unsure of this sig big time for accuracy and false positives.
>> However; I still thought I might have a go :) Anyhoo what I have here
>> is a window size of 0 (not sure if flags are needed as I guess it
>> could be anything) then a large number of them to a single destination
>> (though I am unsure how many and how fast the connections can be made
>> to exhaust connections).
> 
> 
> We tried something like this a year ago when the vulnerability was first
> made public. As I recall, it didn't work. But I don't remember if there
> was a threshold on it. Why don't you test it for a bit and see how many
> FPs you get? :)
> 
> -Frank
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From eslerj at gmail.com  Wed Sep  9 08:03:20 2009
From: eslerj at gmail.com (Joel Esler)
Date: Wed, 9 Sep 2009 08:03:20 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA78CED.4080807@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA68A81.40302@packetmail.net> <4AA698A1.1050104@jonkmans.com>
	<4AA6A04F.8060607@packetmail.net>
	<42B385D58FF26F49B29F22205CF94BE7018A5D09@BENDER.centenarycollege.edu>
	<4AA6A7C3.5060206@jonkmans.com>
	<314cf0830909081154g10f3d8b3me9f9bfceb5dcbd9d@mail.gmail.com>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<4AA78CED.4080807@jonkmans.com>
Message-ID: <314cf0830909090503j23976c36o36450a9f8f161b30@mail.gmail.com>

On Wed, Sep 9, 2009 at 7:09 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Didn't mean to let my comment become a bash SF thread. Although
> officially that is the only target of bashing allowed on the ET lists... :)
>
> You have an official "Bash SF" policy on ET?  Geez, I better leave ;)



> My point was that asking us to look at the VRT sig to compare is
> illegal. We cannot look at the VRT rules while we do our own development
> lest we be sued for copyright infringement, even though our public
> development started prior to any public discussion SF made available.
>

I wasn't suggesting that you do development based on the VRT rule.  I just
stated that one is out.  We share subscribers.


> I fully understand why SF has the license it does on the VRT ruleset.
> VRT is not open source, nor free for the world. It's a ruleset that's
> highly tested and built at a cost in man hours that SF intends to
> recoup. Thats business, that's perfectly fair.
>

They are free.  After the 30 days.  That's it.



> I don't subscribe nor use VRT very often so as not to be accused of
> copyright infringement in the work we do at ET. I don't see them nor
> develop based on them.
>

Same reason that VRT is not on this list nor looks at ET.  Mutual
exclusivity.  It's also the reason that OSSRC was established is to have
people that bridge the gap.


> I realize you were probably trying to help, or point out that VRT had a
> rule as well Joel. But we can't look at them, share them, compare to
> them, or develop based on them. So thanks, but we can't. Don't want to
> blow all of our support money fighting the legal team of a multi-million
> dollar company. :)
>
> Matt
>
>
> Joel Esler wrote:
> > No, the license would prevent me from posting them.  Not from you seeing
> > them.  I am sure plenty of people on this list have a VRT subscription.
> >
> > No FUD spreading.
> >
> > J
> >
> > On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman <jonkman at jonkmans.com
> > <mailto:jonkman at jonkmans.com>> wrote:
> >
> >     :)
> >
> >     The license would prevent us from doing so. Or even seeing them at
> this
> >     point.
> >
> >     If you'd like to post it here so we can compare that'd be
> appreciated.
> >
> >     Matt
> >
> >     Joel Esler wrote:
> >     > FWIW, VRT just put one out if you want to look at it.  It's Gid:1.
> >     >
> >     > J
> >     >
> >     > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman <jonkman at jonkmans.com
> >     <mailto:jonkman at jonkmans.com>
> >     > <mailto:jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>>
> wrote:
> >     >
> >     >     Committed, again all please test. Thanks Jax and Christopher!
> >     >
> >     >     Matt
> >     >
> >     >     Campesi, Christopher wrote:
> >     >     >  I looked at the results of the sig and it hit way more than
> I
> >     >     expected,
> >     >     > sorry about that. I took what Jax replied with and used that
> as
> >     >     the only
> >     >     > content match, that resulted in no FPs so far, like he said.
> >     >     >
> >     >     >
> >     >     >
> >     >     > alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> >     (msg:"Windows7/Vista/2k8
> >     >     > SMB2.0 DoS
> >     Exploit";flow:to_server,established;content:"|ff|SMB|72
> >     >     00 00
> >     >     > 00 00 18 53 c8 00
> >     >     >
> >     >
> >     26|";offset:4;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
> >     >
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
> >     >     >
> >     >     >
> >     >     >
> >     >     > -Chris
> >     >     >
> >     >     > *From:* emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
> >     >     <mailto:emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>>
> >     >     > [mailto:emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>
> >     >     <mailto:emerging-sigs-bounces at emergingthreats.net
> >     <mailto:emerging-sigs-bounces at emergingthreats.net>>] *On Behalf Of
> >     >     > *evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
> >     >     > *Sent:* Tuesday, September 08, 2009 2:20 PM
> >     >     > *To:* Matt Jonkman
> >     >     > *Cc:* Emerging Threats Signatures
> >     >     > *Subject:* Re: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
> >     >     >
> >     >     >
> >     >     >
> >     >     > var HOME_NET [10.0.0.0/8 <http://10.0.0.0/8>
> >     <http://10.0.0.0/8>]
> >     >     > var EXTERNAL_NET any
> >     >     >
> >     >     > RFC1918 -> RFC1918
> >     >     >
> >     >     > One of many examples, some including
> >     >     >
> >     >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
> >     10.96.aa.bb.microsoft-ds: Flags
> >     >     > [P.], ack 361669, win 65145, length 140SMB PACKET: SMBtrans
> >     (REQUEST)
> >     >     >
> >     >     >         0x0000:  4500 00b4 0a44 4000 7f06 05a4 0ad7 cc08
> >     >      E....D at .........
> >     >     >         0x0010:  0a60 0a1d 106d 01bd e822 e07f 6c12 38b1
> >     >      .`...m..."..l.8.
> >     >     >         0x0020:  5018 fe79 ea77 0000 0000 0088 ff53 4d42
> >     >      P..y.w.......SMB
> >     >     >         0x0030:  2500 0000 0018 07c8 0000 6bd5 793b 77d3
> >     >      %.........k.y;w.
> >     >     >         0x0040:  cf73 0000 0178 f80c 02e0 834c 1000 0034
> >     >      .s...x.....L...4
> >     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >     >      ................
> >     >     >         0x0060:  0054 0034 0054 0002 0026 000e c045 0000
> >     >      .T.4.T...&...E..
> >     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >     >      \.P.I.P.E.\.....
> >     >     >         0x0080:  0500 0003 1000 0000 3400 0000 0f00 0000
> >     >      ........4.......
> >     >     >         0x0090:  1c00 0000 0000 0d00 0000 0000 7599 3ccc
> >     >      ............u.<.
> >     >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201 ffff ffff
> >     >      C..H.S.V.$B.....
> >     >     >         0x00b0:  007d 0000
>  .}..
> >     >     >
> >     >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
> >     10.96.aa.bb.microsoft-ds: Flags
> >     >     > [P.], ack 362044, win 64770, length 132SMB PACKET: SMBtrans
> >     (REQUEST)
> >     >     >
> >     >     >         0x0000:  4500 00ac 0a47 4000 7f06 05a9 0ad7 cc08
> >     >      E....G at .........
> >     >     >         0x0010:  0a60 0a1d 106d 01bd e822 e1c2 6c12 3a28
> >     >      .`...m..."..l.:(
> >     >     >         0x0020:  5018 fd02 0650 0000 0000 0080 ff53 4d42
> >     >      P....P.......SMB
> >     >     >         0x0030:  2500 0000 0018 07c8 0000 300c 85e5 0f16
> >     >      %.........0.....
> >     >     >         0x0040:  a5e5 0000 0178 f80c 02e0 444d 1000 002c
> >     >      .....x....DM...,
> >     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >     >      ................
> >     >     >         0x0060:  0054 002c 0054 0002 0026 0002 c03d 0000
> >     >      .T.,.T...&...=..
> >     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >     >      \.P.I.P.E.\.....
> >     >     >         0x0080:  0500 0003 1000 0000 2c00 0000 1000 0000
> >     >      ........,.......
> >     >     >         0x0090:  1400 0000 0000 0000 0000 0000 7599 3ccc
> >     >      ............u.<.
> >     >     >         0x00a0:  43cd 9348 af53 9c56 e124 4201
> >      C..H.S.V.$B.
> >     >     >
> >     >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
> >     10.96.aa.bb.microsoft-ds: Flags
> >     >     > [P.], ack 360908, win 64520, length 176SMB PACKET: SMBtrans
> >     (REQUEST)
> >     >     >
> >     >     >         0x0000:  4500 00d8 0a3b 4000 7f06 0589 0ad7 cc08
> >     >      E....;@.........
> >     >     >         0x0010:  0a60 0a1d 106d 01bd e822 dd36 6c12 35b8
> >     >      .`...m...".6l.5.
> >     >     >         0x0020:  5018 fc08 877f 0000 0000 00ac ff53 4d42
> >     >      P............SMB
> >     >     >         0x0030:  2500 0000 0018 07c8 0000 9f52 3a78 b920
> >     >      %..........R:x..
> >     >     >         0x0040:  4608 0000 0178 f80c 02e0 834a 1000 0058
> >     >      F....x.....J...X
> >     >     >         0x0050:  0000 0000 0400 0000 0000 0000 0000 0000
> >     >      ................
> >     >     >         0x0060:  0054 0058 0054 0002 0026 0009 c069 0000
> >     >      .T.X.T...&...i..
> >     >     >         0x0070:  5c00 5000 4900 5000 4500 5c00 0000 0000
> >     >      \.P.I.P.E.\.....
> >     >     >         0x0080:  0500 0003 1000 0000 5800 0000 0700 0000
> >     >      ........X.......
> >     >     >         0x0090:  4000 0000 0000 2c00 b028 0d00 0a00 0000
> >     >      @.....,..(......
> >     >     >         (*SNIPPED*)
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     > Matt Jonkman wrote:
> >     >     >
> >     >     > Internal to internal? Or external inbound?
> >     >     >
> >     >     >
> >     >     >
> >     >     > Matt
> >     >     >
> >     >     >
> >     >     >
> >     >     > evilghost at packetmail.net <mailto:evilghost at packetmail.net>
> >     <mailto:evilghost at packetmail.net <mailto:evilghost at packetmail.net>>
> >     >     <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net> <mailto:evilghost at packetmail.net
> >     <mailto:evilghost at packetmail.net>>>
> >     >     wrote:
> >     >     >
> >     >     >
> >     >     >
> >     >     >     Falsing heavily here, as in, mapping the network.  I can
> >     provide
> >     >     >
> >     >     >     specifics if necessary.
> >     >     >
> >     >     >
> >     >     >
> >     >     >     Matt Jonkman wrote:
> >     >     >
> >     >     >
> >     >     >
> >     >     >         Thanks Christopher, posted for testing. Please give
> >     >     feedback. This is an
> >     >     >
> >     >     >         ugly problem...
> >     >     >
> >     >     >
> >     >     >
> >     >     >         Matt
> >     >     >
> >     >     >
> >     >     >
> >     >     >         Campesi, Christopher wrote:
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >             alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> >     >     (msg:"Remote SMB2.0 DoS
> >     >     >
> >     >     >
> >     >
> >
> Exploit";flow:to_server,established;content:"|00|";offset:0;content:"|ff|SMB";distance:3;content:"|00
> >     >     >
> >     >     >
> >     >
> >     26|";distance:7;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
> >     >
> >     <http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >             http://securityreason.com/exploitalert/7138
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >             -Chris
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >     >
> >     >     >
> >     >     >
> >     >     >             _______________________________________________
> >     >     >
> >     >     >             Emerging-sigs mailing list
> >     >     >
> >     >     >             Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>>
> >     >     >
> >     >     >
> >     >
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >     _______________________________________________
> >     >     >
> >     >     >     Emerging-sigs mailing list
> >     >     >
> >     >     >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>>
> >     >     >
> >     >     >
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     >
> >     >
> >     >     --
> >     >     --------------------------------------------
> >     >     Matthew Jonkman
> >     >     Emerging Threats
> >     >     Open Information Security Foundation (OISF)
> >     >     Phone 765-429-0398
> >     >     Fax 312-264-0205
> >     >     http://www.emergingthreats.net
> >     >     http://www.openinformationsecurityfoundation.org
> >     >     --------------------------------------------
> >     >
> >     >     PGP: http://www.jonkmans.com/mattjonkman.asc
> >     >
> >     >
> >     >     _______________________________________________
> >     >     Emerging-sigs mailing list
> >     >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     >     <mailto:Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>>
> >     >
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >     >
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > _______________________________________________
> >     > Emerging-sigs mailing list
> >     > Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >     --
> >     --------------------------------------------
> >     Matthew Jonkman
> >     Emerging Threats
> >     Open Information Security Foundation (OISF)
> >     Phone 765-429-0398
> >     Fax 312-264-0205
> >     http://www.emergingthreats.net
> >     http://www.openinformationsecurityfoundation.org
> >     --------------------------------------------
> >
> >     PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090909/24702c79/attachment-0001.html

From eslerj at gmail.com  Wed Sep  9 08:15:35 2009
From: eslerj at gmail.com (Joel Esler)
Date: Wed, 9 Sep 2009 08:15:35 -0400
Subject: [Emerging-Sigs] Remote SMB 2.0 DoS Exploit
In-Reply-To: <4AA7917A.3090509@jonkmans.com>
References: <42B385D58FF26F49B29F22205CF94BE7018A5A09@BENDER.centenarycollege.edu>
	<4AA6C760.2060200@jonkmans.com>
	<314cf0830909081458i29b6939ar878ef6736014ffe3@mail.gmail.com>
	<ab3c24b60909081525s3e1ea59bsd911724401e08935@mail.gmail.com>
	<314cf0830909081613o657e0f00p323f2c210f37918@mail.gmail.com>
	<4AA6EC5A.7040705@packetmail.net>
	<314cf0830909081748y7244e40ar31bf3f736e685c44@mail.gmail.com>
	<ab3c24b60909081809w32b0987eu7b003bba4a06ee42@mail.gmail.com>
	<314cf0830909081826u165a0fddk48366c79eb8b8042@mail.gmail.com>
	<4AA7917A.3090509@jonkmans.com>
Message-ID: <314cf0830909090515q455926f8s340456c41049f0cf@mail.gmail.com>

On Wed, Sep 9, 2009 at 7:28 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Joel Esler wrote:
> > I think the ET license is currently BSD based.
>
> Yup. Do with it as you please, we (the community) wrote all of it. We
> get to use it.
>
> Just if you resell them send me a t-shirt or something for the
> administrative effort. :)
>
> >
> >
> >
> >     Matt, can we institute an ET License so the SF/VRT leeches can't
> >     legally make money off the hard work of caring and sharing people?
> >
> >
> > This is one of the reasons that the OSSRC was founded years ago, to
> > coordinate the movement of ET/BS rules into Snort's official sets,
> > however, some of the people managing this project have left their jobs
> > leaving it limbo.  This is a project that I hope to take up in the
> > future and reestablish.
> >
>
> It was actually founded to avoid duplication in the rulesets (I proposed
> founded it with jennifer steffens back in the day. Now that girl could
> run a community relations program!), but that was pre-VRT I believe.
> Once SF went VRT and licensed it as such the OSSRC was no longer of use.
>

Mike can run one too, Mike is just swamped with many projects.
Snort.org revamp
was a huge undertaking.  (It's on completely different servers, completely
different code.  The code running the old Snort.org website was left over
from 1998)  But there are things being done in the background that you guys
don't see, and we're going to make up for lost time.

OSSRC wasn't pre-VRT, it was post.  BS wasn't started until after the
VRT-License came out.  VRT has been there at Sourcefire since early days.


> Long long ago (in the first year we did this) we had hoped to use ET to
> feed rules into the SF GPL ruleset and the early VRT ruleset. SF
> unfortunately ignored us or bashed the work being done as crap.


No.  We've just not republished the GPL set as most of the GPL rule
development went in your direction (which I am not complaining about?  do
NOT read into that).  We are working on a different way of distributing
rulesets that *I think* Snort users will find vastly innovative.



> Then VRT
> came about a few years later which prevented ET from pushing our rules
> to the SF ruleset because of 1) copyright assignment and 2) the
> community would have thrown a sh*t-fit over their free work being resold
> via VRT for a profit. Plus OSSRC was completely neglected by the SF
> folks that took on tasks. It fell out of use and was dropped officially
> by ET (then Bleeding Snort) years ago.
>

Well, no.  The VRT existed before BS/ET, that's what the OSSRC was
established after you guys came along, was to move rules from your set into
the GPL set.  OSSRC has never been dropped from the SF side, when Jen left,
because of several issues, as any company has that I won't bother mentioning
here -- we never got the chance to follow through on it.  Again, hopefully
we'll make up for lost time.  (This all happened around the time of the
Checkpoint "acquisition" and IPO.)



> The OSSRC is in it's original form and goal is useless as no one wants
> to funnel rules into VRT (legally or by preference). We no longer have a
> need to avoid duplication as the ET ruleset is there to serve not only
> VRT subscribers, but also non-subscribers. So we go for coverage of
> critical issues even if VRT has or may in the future release a sig.
> Actually we go for whatever anyone wants to write a reasonable sig for.
> Which will be 100% of important issues.
>

?and I see a use for ET, bleeding coverage of the 0day when it comes out
until a throughly tested, vetted, and researched rule can be published, at
which time, de-duplication needs to occur.



> Only thing I could see would be using the OSSRC to publish a list of
> sigs that have very similar function (not calling one more effective
> than the other necessarily) allowing the user to automate dropping one
> sig to avoid duplication of processing. I don't know how much need there
> is for such a thing though. But I'm willing to go at it if SF follows
> through this time.
>

That's what I mean.  After some back end work is done with our rule
distribution method, we'll be able to accommodate things like that.



> Side thought: SF ought to consider a royalty sharing program for
> community sigs. Take in good ones from authors willing to assign
> copyright and offer a percentage of royalties each year. If an author
> contributes (in round numbers) 2 sigs into a 10,000 sig ruleset they'd
> gain 2/10,000's of the gross revenue as long as the sig as in the
> ruleset. Prorated of course the first year.
>

I obviously can't speak to that, but it's an interesting idea.  One that I
will pass on.



>
> >
> >
> >     It seems like all this, "VRT just put one out if you want to look at
> >     it" talk is really is snake oil b/c there really isn't a way to
> >     "look at it" (and even if you are a VRT subscriber, can you see the
> >     plaintext (i.e. uncompiled) rule?).
> >
> >
> > Yes.  Except for some of the SO rules (as previously discussed), you can
> > look at every rule that is in the VRT set the same as you would the ET
> > rules.  Who do you think made the rule language up?
>
> But in 30 days is his point. We can't look at them now. (nor should we,
> to avoid IP lawsuits)
>

Understandable.  Again, I wasn't suggesting you use it as a template.  I was
simply stating it was out.



>
>
> >
> >
> >
> >     Please post it J, since you have already announced its existence and
> >     implored us to check it out.
> >
> >
> > I legally cannot.  I'd like to keep my job. :)
>
>
> :)
>
> Matt
>
> >
> >
> >
> >
> >     *G*
> >
> >
> >     On Wed, Sep 9, 2009 at 12:48 AM, Joel Esler <eslerj at gmail.com
> >     <mailto:eslerj at gmail.com>> wrote:
> >
> >         On Tue, Sep 8, 2009 at 7:44 PM, evilghost at packetmail.net
> >         <mailto:evilghost at packetmail.net> <evilghost at packetmail.net
> >         <mailto:evilghost at packetmail.net>> wrote:
> >
> >             Thanks Joel for clearing this up.  Where can I get a copy of
> >             this rule so that, as a community, improvements can be made?
> >
> >
> >         The rule is available in the subscriber set until the 30 days is
> >         expired.
> >
> >
> >
> >             Since these rules are centered around a subscription model
> >             is there a community-centric subscription where improvements
> >             can be made (as suggested)?
> >
> >
> >         I believe the license states that if improvements are made to
> >         the VRT ruleset then the rights belong to Sourcefire.  The VRT
> >         ruleset is not a GPL license.
> >
> >
> >
> >             For example, should improvements be made to this rule, as a
> >             derivative from the VRT rule, would I be eligible for
> >             compensation or are the benefits of community efforts only
> >             one-sided and beneficial to SourceFire?
> >
> >
> >         The benefits are, if you make improvements to the rule, they are
> >         submitted to VRT, where they are throughly tested against
> >         millions upon millions of types of traffic and data.  Then they
> >         are redistributed to the community through the VRT subscription.
> >
> >
> >             I'm guessing I can't get a copy of this rule unless I wait
> >             30+ days or start throwing cash at SourceFire?
> >
> >
> >         Correct.
> >
> >
> >             I'm certainly not trying to insult you on a personal level
> >             but tell me how I can download the VRT rule for analysis?
> >             Ya'll (SourceFire) spin this "community" stuff but honestly
> >             my back is hurting from these "community" friendly companies
> >             standing on my shoulders while rifling through my pockets.
> >
> >
> >         We aren't charging you for using Snort, I don't see how we are
> >         rifling through your pockets?
> >
> >
> >
> >             IMHO the "VRT has this" was spam, likely that wasn't the
> >             intent, but all it did was advertise VRT and create
> >             questions around licensing conditions.
> >
> >
> >         Exactly why I said "FWIW" in the beginning of the rule.  As I
> >         said, there are plenty of people that have the subscription on
> >         this list, and they can benefit from the 29 bucks we charge for
> >         a single license.
> >
> >
> >
> >             Rather than pointing us to a snipe-hunt in a
> >             subscription-based licensed model I'd find more value in
> >             actual content :)
> >
> >
> >         Sorry you feel that way.  The license prohibits me from
> >         disclosing the rule.  As I previously stated.
> >
> >
> >
> >
> >             -evilghost
> >
> >
> >             Joel Esler wrote:
> >>             SOME of the rules are written that way because of
> >>             contractual agreements with Microsoft under the MAPP
> >>             program.
> >>
> http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
> >>
> >>             However, the vast majority of the VRT rules are open for
> >>             everyone to read.
> >>
> >>             You may discuss the rules and make improvements upon the
> >>             rules on Snort's lists, you may not, however, post or
> >>             distribute the rule.
> >>
> >>             I suggest people A) Check out the License, because clearly
> >>             there is misunderstanding and FUD being spread, and B)
> >>             Check out the rules to clear up the FUD.  (They are
> >>             closed, we can't download them, other misc lies.)
> >>
> >>             It's not about competition between "community" vs.
> >>             "Sourcefire" as some people have tried to make it out to
> >>             be.  I wish that would stop.  I discussed this at length
> >>             in an earlier email.
> >>
> >>             That being said...  there are no negative content matches
> >>             in the VRT rule.
> >>
> >>             J
> >>
> >>
> >>
> >>             On Tue, Sep 8, 2009 at 6:25 PM, Guise McAllaster
> >>             <guise.mcallaster at gmail.com
> >>             <mailto:guise.mcallaster at gmail.com>> wrote:
> >>
> >>                 I thought the VRT rules are compiled so you can't see
> >>                 them in the clear unless you reverse engineer it and
> >>                 reconstruct them.  Am I wrong?  If so, can some one
> >>                 post it here?  Matt has a good point about comparing
> >>                 it -- the more info we have the better.  Sharing and
> >>                 empowerment is what gives the open source community
> >>                 the strength.  Unless, of course, you aren't open
> >>                 source and then it is all about competitive advantage
> >>                 and money, greed, etc.
> >>
> >>                 Guise (a.k.a. G)
> >>
> >>
> >>                 On Tue, Sep 8, 2009 at 9:58 PM, Joel Esler
> >>                 <eslerj at gmail.com <mailto:eslerj at gmail.com>> wrote:
> >>
> >>                     No, the license would prevent me from posting
> >>                     them.  Not from you seeing them.  I am sure plenty
> >>                     of people on this list have a VRT subscription.
> >>
> >>                     No FUD spreading.
> >>
> >>                     J
> >>
> >>
> >>                     On Tue, Sep 8, 2009 at 5:06 PM, Matt Jonkman
> >>                     <jonkman at jonkmans.com
> >>                     <mailto:jonkman at jonkmans.com>> wrote:
> >>
> >>                         :)
> >>
> >>                         The license would prevent us from doing so. Or
> >>                         even seeing them at this
> >>                         point.
> >>
> >>                         If you'd like to post it here so we can
> >>                         compare that'd be appreciated.
> >>
> >>                         Matt
> >>
> >>                         Joel Esler wrote:
> >>                         > FWIW, VRT just put one out if you want to
> >>                         look at it.  It's Gid:1.
> >>                         >
> >>                         > J
> >>                         >
> >>                         > On Tue, Sep 8, 2009 at 2:51 PM, Matt Jonkman
> >>                         <jonkman at jonkmans.com
> >>                         <mailto:jonkman at jonkmans.com>
> >>                         > <mailto:jonkman at jonkmans.com
> >>                         <mailto:jonkman at jonkmans.com>>> wrote:
> >>                         >
> >>                         >     Committed, again all please test. Thanks
> >>                         Jax and Christopher!
> >>                         >
> >>                         >     Matt
> >>                         >
> >>                         >     Campesi, Christopher wrote:
> >>                         >     >  I looked at the results of the sig
> >>                         and it hit way more than I
> >>                         >     expected,
> >>                         >     > sorry about that. I took what Jax
> >>                         replied with and used that as
> >>                         >     the only
> >>                         >     > content match, that resulted in no FPs
> >>                         so far, like he said.
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     > alert tcp $EXTERNAL_NET any ->
> >>                         $HOME_NET 445 (msg:"Windows7/Vista/2k8
> >>                         >     > SMB2.0 DoS
> >>
> Exploit";flow:to_server,established;content:"|ff|SMB|72
> >>                         >     00 00
> >>                         >     > 00 00 18 53 c8 00
> >>                         >     >
> >>                         >
> >>
> 26|";offset:4;classtype:attempted-dos;reference:url,
> securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1
> >>                         <
> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>
> >>                         >
> >>                         <
> http://securityreason.com/exploitalert/7138;sid:XXXXXXXXX;rev:1>;)
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     > -Chris
> >>                         >     >
> >>                         >     > *From:*
> >>                         emerging-sigs-bounces at emergingthreats.net
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net>
> >>                         >
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net>>
> >>                         >     >
> >>                         [mailto:
> emerging-sigs-bounces at emergingthreats.net
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net>
> >>                         >
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net
> >>                         <mailto:
> emerging-sigs-bounces at emergingthreats.net>>]
> >>                         *On Behalf Of
> >>                         >     > *evilghost at packetmail.net
> >>                         <mailto:evilghost at packetmail.net>
> >>                         <mailto:evilghost at packetmail.net
> >>                         <mailto:evilghost at packetmail.net>>
> >>                         >     > *Sent:* Tuesday, September 08, 2009
> >>                         2:20 PM
> >>                         >     > *To:* Matt Jonkman
> >>                         >     > *Cc:* Emerging Threats Signatures
> >>                         >     > *Subject:* Re: [Emerging-Sigs] Remote
> >>                         SMB 2.0 DoS Exploit
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     > var HOME_NET [10.0.0.0/8
> >>                         <http://10.0.0.0/8> <http://10.0.0.0/8>]
> >>                         >     > var EXTERNAL_NET any
> >>                         >     >
> >>                         >     > RFC1918 -> RFC1918
> >>                         >     >
> >>                         >     > One of many examples, some including
> >>                         >     >
> >>                         >     > 11:48:37.479991 IP 10.215.aa.bb.4205 >
> >>                         10.96.aa.bb.microsoft-ds: Flags
> >>                         >     > [P.], ack 361669, win 65145, length
> >>                         140SMB PACKET: SMBtrans (REQUEST)
> >>                         >     >
> >>                         >     >         0x0000:  4500 00b4 0a44 4000
> >>                         7f06 05a4 0ad7 cc08
> >>                         >      E....D at .........
> >>                         >     >         0x0010:  0a60 0a1d 106d 01bd
> >>                         e822 e07f 6c12 38b1
> >>                         >      .`...m..."..l.8.
> >>                         >     >         0x0020:  5018 fe79 ea77 0000
> >>                         0000 0088 ff53 4d42
> >>                         >      P..y.w.......SMB
> >>                         >     >         0x0030:  2500 0000 0018 07c8
> >>                         0000 6bd5 793b 77d3
> >>                         >      %.........k.y;w.
> >>                         >     >         0x0040:  cf73 0000 0178 f80c
> >>                         02e0 834c 1000 0034
> >>                         >      .s...x.....L...4
> >>                         >     >         0x0050:  0000 0000 0400 0000
> >>                         0000 0000 0000 0000
> >>                         >      ................
> >>                         >     >         0x0060:  0054 0034 0054 0002
> >>                         0026 000e c045 0000
> >>                         >      .T.4.T...&...E..
> >>                         >     >         0x0070:  5c00 5000 4900 5000
> >>                         4500 5c00 0000 0000
> >>                         >      \.P.I.P.E.\.....
> >>                         >     >         0x0080:  0500 0003 1000 0000
> >>                         3400 0000 0f00 0000
> >>                         >      ........4.......
> >>                         >     >         0x0090:  1c00 0000 0000 0d00
> >>                         0000 0000 7599 3ccc
> >>                         >      ............u.<.
> >>                         >     >         0x00a0:  43cd 9348 af53 9c56
> >>                         e124 4201 ffff ffff
> >>                         >      C..H.S.V.$B.....
> >>                         >     >         0x00b0:  007d 0000
> >>                                            .}..
> >>                         >     >
> >>                         >     > 11:48:37.569906 IP 10.215.aa.bb.4205 >
> >>                         10.96.aa.bb.microsoft-ds: Flags
> >>                         >     > [P.], ack 362044, win 64770, length
> >>                         132SMB PACKET: SMBtrans (REQUEST)
> >>                         >     >
> >>                         >     >         0x0000:  4500 00ac 0a47 4000
> >>                         7f06 05a9 0ad7 cc08
> >>                         >      E....G at .........
> >>                         >     >         0x0010:  0a60 0a1d 106d 01bd
> >>                         e822 e1c2 6c12 3a28
> >>                         >      .`...m..."..l.:(
> >>                         >     >         0x0020:  5018 fd02 0650 0000
> >>                         0000 0080 ff53 4d42
> >>                         >      P....P.......SMB
> >>                         >     >         0x0030:  2500 0000 0018 07c8
> >>                         0000 300c 85e5 0f16
> >>                         >      %.........0.....
> >>                         >     >         0x0040:  a5e5 0000 0178 f80c
> >>                         02e0 444d 1000 002c
> >>                         >      .....x....DM...,
> >>                         >     >         0x0050:  0000 0000 0400 0000
> >>                         0000 0000 0000 0000
> >>                         >      ................
> >>                         >     >         0x0060:  0054 002c 0054 0002
> >>                         0026 0002 c03d 0000
> >>                         >      .T.,.T...&...=..
> >>                         >     >         0x0070:  5c00 5000 4900 5000
> >>                         4500 5c00 0000 0000
> >>                         >      \.P.I.P.E.\.....
> >>                         >     >         0x0080:  0500 0003 1000 0000
> >>                         2c00 0000 1000 0000
> >>                         >      ........,.......
> >>                         >     >         0x0090:  1400 0000 0000 0000
> >>                         0000 0000 7599 3ccc
> >>                         >      ............u.<.
> >>                         >     >         0x00a0:  43cd 9348 af53 9c56
> >>                         e124 4201            C..H.S.V.$B.
> >>                         >     >
> >>                         >     > 11:48:37.301987 IP 10.215.aa.bb.4205 >
> >>                         10.96.aa.bb.microsoft-ds: Flags
> >>                         >     > [P.], ack 360908, win 64520, length
> >>                         176SMB PACKET: SMBtrans (REQUEST)
> >>                         >     >
> >>                         >     >         0x0000:  4500 00d8 0a3b 4000
> >>                         7f06 0589 0ad7 cc08
> >>                         >      E....;@.........
> >>                         >     >         0x0010:  0a60 0a1d 106d 01bd
> >>                         e822 dd36 6c12 35b8
> >>                         >      .`...m...".6l.5.
> >>                         >     >         0x0020:  5018 fc08 877f 0000
> >>                         0000 00ac ff53 4d42
> >>                         >      P............SMB
> >>                         >     >         0x0030:  2500 0000 0018 07c8
> >>                         0000 9f52 3a78 b920
> >>                         >      %..........R:x..
> >>                         >     >         0x0040:  4608 0000 0178 f80c
> >>                         02e0 834a 1000 0058
> >>                         >      F....x.....J...X
> >>                         >     >         0x0050:  0000 0000 0400 0000
> >>                         0000 0000 0000 0000
> >>                         >      ................
> >>                         >     >         0x0060:  0054 0058 0054 0002
> >>                         0026 0009 c069 0000
> >>                         >      .T.X.T...&...i..
> >>                         >     >         0x0070:  5c00 5000 4900 5000
> >>                         4500 5c00 0000 0000
> >>                         >      \.P.I.P.E.\.....
> >>                         >     >         0x0080:  0500 0003 1000 0000
> >>                         5800 0000 0700 0000
> >>                         >      ........X.......
> >>                         >     >         0x0090:  4000 0000 0000 2c00
> >>                         b028 0d00 0a00 0000
> >>                         >      @.....,..(......
> >>                         >     >         (*SNIPPED*)
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     > Matt Jonkman wrote:
> >>                         >     >
> >>                         >     > Internal to internal? Or external
> inbound?
> >>                         >     >
> >>                         >     >
> >>                         >     >
> >>                         >     > Matt
> >>                         >     >
> >>                         >