From thierry.chich at ac-clermont.fr Mon Feb 1 05:40:35 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Mon, 01 Feb 2010 11:40:35 +0100 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP Message-ID: <4B66AFA3.1000406@ac-clermont.fr> Hello, I have an huge amount of alerts from these rules, mainly because of DNS traffic. It seems there is official DNS Servers in these networks. It seems to me that an alert shoudn't be triggered about a dns request towards these networks. Even if it could be interpreted as the symptom of a compromised host, it is really difficult to find it, since there can be a lot of dns forwarders involved. I suggest that this kind of rules take !53 as destination port. Thierry Chich PS: Don't forget, I am not the sourcefire troll. My english grammar is really poor, and I am really french. It is not a clever ruse. From kevross33 at googlemail.com Mon Feb 1 07:49:59 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 1 Feb 2010 12:49:59 +0000 Subject: [Emerging-Sigs] 8 Sigs Message-ID: All of these have been tested and are working. Kev alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; content:!"|0A|"; within:55; isdataat:55,relative; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; sid:18000211; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information Disclosure Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"userdisplay="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37848; sid:18000212; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"filter="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37847; sid:18000213; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; sid:18000214; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; uricontent:"defaultAdminLevel"; nocase; uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; nocase; uricontent:"password="; nocase; uricontent:"zenScreenName=editUserSettings"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000215; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; uricontent:"commandId="; nocase; pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000216; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/userCommands/ping"; nocase; uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; nocase; uricontent:"ScreenName=userCommandDetail"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000217; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; content:!"|0A|"; within:200; isdataat:200,relative; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:18000218; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/9a076234/attachment.html From kevross33 at googlemail.com Mon Feb 1 08:19:30 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 1 Feb 2010 13:19:30 +0000 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B66AFA3.1000406@ac-clermont.fr> References: <4B66AFA3.1000406@ac-clermont.fr> Message-ID: If you remove the flags:S part so you see the traffic rather than only SYNs you will find the domains that get requested from RBN servers aren't, well normal. They are mostly command and control requests, spyware, dodgy ads or other nasties. On 1 February 2010 10:40, Thierry Chich wrote: > Hello, > > I have an huge amount of alerts from these rules, mainly because of DNS > traffic. It seems there is official DNS Servers in these networks. It > seems to me that an alert shoudn't be triggered about a dns request > towards these networks. Even if it could be interpreted as the symptom > of a compromised host, it is really difficult to find it, since there > can be a lot of dns forwarders involved. > > I suggest that this kind of rules take !53 as destination port. > > > Thierry Chich > > PS: Don't forget, I am not the sourcefire troll. My english grammar is > really poor, and I am really french. It is not a clever ruse. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/726b921b/attachment-0001.html From kevross33 at googlemail.com Mon Feb 1 08:56:47 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 1 Feb 2010 13:56:47 +0000 Subject: [Emerging-Sigs] SIG:Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; content:!"|0A|"; within:42000; isdataat:42000,relative; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/42f9942d/attachment.html From evilghost at packetmail.net Mon Feb 1 09:02:22 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 1 Feb 2010 08:02:22 -0600 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B66AFA3.1000406@ac-clermont.fr> References: <4B66AFA3.1000406@ac-clermont.fr> Message-ID: <4B66DEEE.5010608@packetmail.net> Thierry, I too have noticed this and I use a sed recipe to do this exact thing; not trigger on DNS traffic. I've had some instances where known DNS providers like eNOM/GoDaddy were classified as RBN or Bot C&C. This causes some definite issues regarding DNS. I am only doing this for UDP 53, not TCP 53, since I want to see AXFR/ IXFR. If there isn't much contention in doing this it may be a good idea to implement this against these rules. #Do not block on DNS egress due to false positives and resolution failure. /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-rbn.rules /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-compromised.rules /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-botcc.rules I'm laughing at the PS line. Curious, since you're French, is "Guise" even a French name? -evilghost Thierry Chich wrote: > Hello, > > I have an huge amount of alerts from these rules, mainly because of DNS > traffic. It seems there is official DNS Servers in these networks. It > seems to me that an alert shoudn't be triggered about a dns request > towards these networks. Even if it could be interpreted as the symptom > of a compromised host, it is really difficult to find it, since there > can be a lot of dns forwarders involved. > > I suggest that this kind of rules take !53 as destination port. > > > Thierry Chich > > PS: Don't forget, I am not the sourcefire troll. My english grammar is > really poor, and I am really french. It is not a clever ruse. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From evilghost at packetmail.net Mon Feb 1 09:13:56 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 1 Feb 2010 08:13:56 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In(DHLSPAM/Malware Campaign) In-Reply-To: <4B634C56.4030608@packetmail.net> References: <4B619E79.20609@packetmail.net> <4B619FDD.6020706@packetmail.net> <839aec701001281322m63805705k422412d4bc715983@mail.gmail.com> <4B620E9C.4060407@packetmail.net> <4B630BBF.8070300@jonkmans.com> <6116b9e21001290943w4faf7c7dm85e0a5dd13c3a5f6@mail.gmail.com> <4B634C56.4030608@packetmail.net> Message-ID: <4B66E1A4.6090000@packetmail.net> As time progresses the volume of false positives seems to increase, I'm seeing this against Fox Sports as well. I recommend we revert to the original proposed signature, with minor changes, inclusive of the PCRE to anchor cast, to eliminate the FPs. As of now the FP rate is too high to reliably use the signature. Thoughts? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Check-in"; flow:established,to_server; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?v="; nocase; uricontent:"&id=; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; pcre:"/\.php\?v=\d+&id=\d+&b=[a-z]+&tm=\d+/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010xxx; rev:1); -evilghost evilghost at packetmail.net wrote: > I am seeing this as well, falsing against ads. Can we consider using > the original signature with the PCRE and strict ordering? > > Mike Cox wrote: > >> I like this rule but it is falsing a lot for things like ads. As much as I >> hate to say it, perhaps we need to use a PCRE and enforce strict URI >> parameter order.... >> >> -Mike Cox > From dn1nj4 at shadowserver.org Mon Feb 1 09:18:12 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Mon, 01 Feb 2010 06:18:12 -0800 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request Message-ID: <0d13824de3f05df2b9ecbee3494b35c6@shadowserver.org> For your consideration... Original Traffic (Host was one of about 10 different domains): GET /php/cfg.bin HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) GET /~parti3an/qvadro/cfg.bin HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Signature: alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Download Request"; content:"GET "; depth:4; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:" Win32)|0d 0a|"; classification:trojan-activity; reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; sid:2010xxx;) dn1nj4 From kevross33 at googlemail.com Mon Feb 1 09:27:40 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 1 Feb 2010 14:27:40 +0000 Subject: [Emerging-Sigs] SIG:Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow In-Reply-To: References: Message-ID: thanks, changed the isdataat and the !"|0A|" around in this and another 2 sigs I submitted. PCRE is not 100% needed but is there as a final check. Also the vulnerability is triggered if the content after the DSC comment is larger than 42000 bytes as you can read here http://www.securityfocus.com/archive/1/508175. alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; sid:18000211; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:18000218; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;) Thanks for the pointer, Kev On 1 February 2010 08:11, rmkml wrote: > Hi kevin, > thx for this sig but I have three question please > -Why you have written this sig with isdataat after content negate ? > -pcre is not necessary hear > -42000 is too high ? > maybe rewrite this sig: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow > Attempt"; > flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; > content:"%"; within:50; isdataat:1000,relative; content:!"|0A|"; > within:1000; > > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; > reference:cve,2009-4195; sid:18000219; rev:1;) > Regards > Rmkml > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/8b265d8b/attachment.html From evilghost at packetmail.net Mon Feb 1 09:30:12 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 1 Feb 2010 08:30:12 -0600 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <0d13824de3f05df2b9ecbee3494b35c6@shadowserver.org> References: <0d13824de3f05df2b9ecbee3494b35c6@shadowserver.org> Message-ID: <4B66E574.2010807@packetmail.net> What's your thoughts on adding a content or uricontent match to avoid having to invoke the PCRE engine so often? We did have something close to this, SID 2010348, but it looks like it's disabled by default and the PCRE would miss the tilde in the first URL. There may be some useful items in 2010348 that could apply here, such as lack of HTTP REFERER and Accept: */*, that could be used to reduce FP potential. -evilghost dn1nj4 wrote: > For your consideration... > > Original Traffic (Host was one of about 10 different domains): > GET /php/cfg.bin HTTP/1.0 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > GET /~parti3an/qvadro/cfg.bin HTTP/1.0 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Signature: > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus Download Request"; content:"GET "; depth:4; > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:" > Win32)|0d 0a|"; classification:trojan-activity; > reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; > sid:2010xxx;) > > dn1nj4 > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From mike.cox52 at gmail.com Mon Feb 1 09:33:58 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 1 Feb 2010 08:33:58 -0600 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <0d13824de3f05df2b9ecbee3494b35c6@shadowserver.org> References: <0d13824de3f05df2b9ecbee3494b35c6@shadowserver.org> Message-ID: <6116b9e21002010633v4f349e50w31da671ea2cf6c9e@mail.gmail.com> My understanding is that snort processes the rule left to right so in this case the pcre would be evaluated before the last content directive which is not good for performance. Also, you could use the http_header directive to limit the Win32 search to the HTTP header buffer but I don't think the ET rulesets "support" that directive yet. Something like: alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"Win32)|0d 0a|"; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; classification:trojan-activity; reference:url, www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; sid:2010xxx; rev:2;) -Mike Cox On Mon, Feb 1, 2010 at 8:18 AM, dn1nj4 wrote: > For your consideration... > > Original Traffic (Host was one of about 10 different domains): > GET /php/cfg.bin HTTP/1.0 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > GET /~parti3an/qvadro/cfg.bin HTTP/1.0 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Signature: > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus Download Request"; content:"GET "; depth:4; > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:" > Win32)|0d 0a|"; classification:trojan-activity; > reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > ; > sid:2010xxx;) > > dn1nj4 > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/50542dc4/attachment-0001.html From dn1nj4 at shadowserver.org Mon Feb 1 09:47:43 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Mon, 01 Feb 2010 06:47:43 -0800 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 In-Reply-To: References: Message-ID: Thanks for the feedback. Drawing on evilghost and Mike's recommendations: alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; classification:trojan-activity; reference:url, www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; sid:2010xxx; rev:3;) evilghost: My original thought was to reduce FPs by the simple inclusion of the Win32 User-Agent, which does not appear to be valid. dn1nj4 > Message: 6 > Date: Mon, 1 Feb 2010 08:30:12 -0600 > From: "evilghost at packetmail.net" > Subject: Re: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download > Request > To: "emerging-sigs at emergingthreats.net" > > Message-ID: <4B66E574.2010807 at packetmail.net> > Content-Type: text/plain; charset="us-ascii" > > What's your thoughts on adding a content or uricontent match to avoid > having to invoke the PCRE engine so often? We did have something close > to this, SID 2010348, but it looks like it's disabled by default and the > PCRE would miss the tilde in the first URL. There may be some useful > items in 2010348 that could apply here, such as lack of HTTP REFERER and > Accept: */*, that could be used to reduce FP potential. > > -evilghost > > ------------------------------ > > Message: 7 > Date: Mon, 1 Feb 2010 08:33:58 -0600 > From: Mike Cox > Subject: Re: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download > Request > To: dn1nj4 > Cc: emerging-sigs at emergingthreats.net > Message-ID: > <6116b9e21002010633v4f349e50w31da671ea2cf6c9e at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > My understanding is that snort processes the rule left to right so in this > case the pcre would be evaluated before the last content directive which is > not good for performance. Also, you could use the http_header directive to > limit the Win32 search to the HTTP header buffer but I don't think the ET > rulesets "support" that directive yet. Something like: > > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"Win32)|0d > 0a|"; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > classification:trojan-activity; reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; > sid:2010xxx; rev:2;) > > -Mike Cox From thierry.chich at ac-clermont.fr Mon Feb 1 10:59:37 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Mon, 01 Feb 2010 16:59:37 +0100 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B66DEEE.5010608@packetmail.net> References: <4B66AFA3.1000406@ac-clermont.fr> <4B66DEEE.5010608@packetmail.net> Message-ID: <4B66FA69.60703@ac-clermont.fr> Le 01/02/2010 15:02, evilghost at packetmail.net a ?crit : > Thierry, I too have noticed this and I use a sed recipe to do this exact > thing; not trigger on DNS traffic. I've had some instances where known > DNS providers like eNOM/GoDaddy were classified as RBN or Bot C&C. This > causes some definite issues regarding DNS. I am only doing this for UDP > 53, not TCP 53, since I want to see AXFR/ IXFR. > > If there isn't much contention in doing this it may be a good idea to > implement this against these rules. > > #Do not block on DNS egress due to false positives and resolution failure. > /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-rbn.rules > /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-compromised.rules > /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-botcc.rules > Yes, it is what I was meaning. Since I use it, I suppose I can do this with oinkmaster also. I was just suggesting it could be done globally. > > I'm laughing at the PS line. Curious, since you're French, is "Guise" > even a French name? As a last name, it could be. There is a famous Duc de Guise, in France history. But Guise is not a french first name. Thierry From guise.mcallaster at gmail.com Mon Feb 1 11:10:36 2010 From: guise.mcallaster at gmail.com (Guise McAllaster) Date: Mon, 1 Feb 2010 16:10:36 +0000 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B66FA69.60703@ac-clermont.fr> References: <4B66AFA3.1000406@ac-clermont.fr> <4B66DEEE.5010608@packetmail.net> <4B66FA69.60703@ac-clermont.fr> Message-ID: It is a nickname given to me ... as a child I always enjoyed playing Duc Duc Guise and the name just stuck :) Guise On 2/1/10, Thierry Chich wrote: > Le 01/02/2010 15:02, evilghost at packetmail.net a ?crit : >> Thierry, I too have noticed this and I use a sed recipe to do this exact >> thing; not trigger on DNS traffic. I've had some instances where known >> DNS providers like eNOM/GoDaddy were classified as RBN or Bot C&C. This >> causes some definite issues regarding DNS. I am only doing this for UDP >> 53, not TCP 53, since I want to see AXFR/ IXFR. >> >> If there isn't much contention in doing this it may be a good idea to >> implement this against these rules. >> >> #Do not block on DNS egress due to false positives and resolution failure. >> /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' >> ./emerging-rbn.rules >> /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' >> ./emerging-compromised.rules >> /bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' >> ./emerging-botcc.rules >> > > > Yes, it is what I was meaning. Since I use it, I suppose I can do this > with oinkmaster also. > I was just suggesting it could be done globally. >> >> I'm laughing at the PS line. Curious, since you're French, is "Guise" >> even a French name? > > As a last name, it could be. There is a famous Duc de Guise, in France > history. But Guise is not a french first name. > > Thierry > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From dn1nj4 at shadowserver.org Mon Feb 1 12:18:08 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Mon, 01 Feb 2010 09:18:08 -0800 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: References: Message-ID: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> I just ran across another Zbot sample with the following header: GET /immagini/eg.bin HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.ato5enna.it Pragma: no-cache Would it be better to drop the Win32 and add eg.bin to the pcre or create an entirely different signature? Also, classifcation should be classtype. dn1nj4 > Date: Mon, 01 Feb 2010 06:47:43 -0800 > From: dn1nj4 > Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 > To: > Message-ID: > Content-Type: text/plain; charset="UTF-8" > > Thanks for the feedback. Drawing on evilghost and Mike's recommendations: > > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d > 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d > 0a|"; content:!"|0d 0a|Referrer|3a|"; > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > classification:trojan-activity; reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; > sid:2010xxx; rev:3;) From evilghost at packetmail.net Mon Feb 1 12:31:22 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 1 Feb 2010 11:31:22 -0600 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> Message-ID: <4B670FEA.4010604@packetmail.net> I really tried to cover all these behaviors with 2010348 and it just tended to false too much. As I recall, I believe that there isn't a succinct list of configuration names ZeuS uses, they're all over the board. The root issue, as exhibited by 2010348 evidently is the tendency to false despite the negated content matches. In 2010348 I tried to ensure that the User-Agent was at least MSIE *something* but even this caused issues. I'm not really sure what the solution is but I anticipate we'll have the same issues as 2010348 with this proposed signature or a very large PCRE with multiple OR matches. Just my thoughts/input. -evilghost dn1nj4 wrote: > I just ran across another Zbot sample with the following header: > > GET /immagini/eg.bin HTTP/1.1 > Accept: */* > Connection: Close > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > Host: www.ato5enna.it > Pragma: no-cache > > Would it be better to drop the Win32 and add eg.bin to the pcre or create > an entirely different signature? Also, classifcation should be classtype. > > dn1nj4 > > >> Date: Mon, 01 Feb 2010 06:47:43 -0800 >> From: dn1nj4 >> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 >> To: >> Message-ID: >> Content-Type: text/plain; charset="UTF-8" >> >> Thanks for the feedback. Drawing on evilghost and Mike's >> > recommendations: > >> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >> 0a|"; content:!"|0d 0a|Referrer|3a|"; >> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >> classification:trojan-activity; reference:url, >> >> > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; > >> sid:2010xxx; rev:3;) >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From jonkman at jonkmans.com Mon Feb 1 12:44:45 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 01 Feb 2010 12:44:45 -0500 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B66AFA3.1000406@ac-clermont.fr> References: <4B66AFA3.1000406@ac-clermont.fr> Message-ID: <4B67130D.6060002@jonkmans.com> I understand your point definitely. But if you're blocking there's some use to blocking dns requests. If they're inbound from an rbn host they're likely looking to spam you, so blocking dns kills them unless they use another dns server. If it's an internal host going out you may be killing an infection. What kind of requests are you seeing? For legitimate names, or just malware crud? Matt On 2/1/10 5:40 AM, Thierry Chich wrote: > Hello, > > I have an huge amount of alerts from these rules, mainly because of DNS > traffic. It seems there is official DNS Servers in these networks. It > seems to me that an alert shoudn't be triggered about a dns request > towards these networks. Even if it could be interpreted as the symptom > of a compromised host, it is really difficult to find it, since there > can be a lot of dns forwarders involved. > > I suggest that this kind of rules take !53 as destination port. > > > Thierry Chich > > PS: Don't forget, I am not the sourcefire troll. My english grammar is > really poor, and I am really french. It is not a clever ruse. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 1 12:49:12 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 01 Feb 2010 12:49:12 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures -Jan 30th, 2010 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294F@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294F@webmail.latis.com> Message-ID: <4B671418.1030303@jonkmans.com> Posted, thanks!! Matt On 1/30/10 6:17 AM, signatures wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > SoftArtisans XFile FileManager ActiveX stack overfow Function call > Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; > content:"SoftArtisans.FileManager.1"; distance:0; nocase; > pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; > classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/914785; > reference:url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; > reference:url,osvdb.org/47794; sid:9679; rev:1;) > > > > *2. **WEB-ATTACKS SoftArtisans XFile FileManager ActiveX Buildpath > method stack overflow Attempt * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow > Attempt"; flow:established,to_client; content:"clsid"; nocase; > content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; > content:"BuildPath"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; > classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/914785; > reference:url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; > reference:url,osvdb.org/47794; sid:9680; rev:1;) > > > > *3. **WEB-ATTACKS SoftArtisans XFile FileManager ActiveX > GetDriveName method stack overflow Attempt * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > SoftArtisans XFile FileManager ActiveX GetDriveName method stack > overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; > content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; > content:"GetDriveName"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; > classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/914785; > reference:url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; > reference:url,osvdb.org/47794; sid:9681; rev:1;) > > > > *4. **WEB-ATTACKS SoftArtisans XFile FileManager ActiveX > DriveExists method stack overflow Attempt * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow > Attempt"; flow:established,to_client; content:"clsid"; nocase; > content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; > content:"DriveExists"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; > classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/914785; > reference:url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; > reference:url,osvdb.org/47794; sid:9682; rev:1;) > > > > *5. **WEB-ATTACKS SoftArtisans XFile FileManager ActiveX > DeleteFile method stack overflow Attempt * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow > Attempt"; flow:established,to_client; content:"clsid"; nocase; > content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; > content:"DeleteFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; > classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/914785; > reference:url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; > reference:url,osvdb.org/47794; sid:9683; rev:1;) > > > > *6. **WEB-PHP Joomla com_musicgallery Component Id Parameter > SELECT FROM SQL Injection Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_musicgallery&"; nocase; > uricontent:"&task=itempage"; nocase; uricontent:"Id="; nocase; > uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; > pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; > reference:bugtraq,37146; > reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; > sid:9729; rev:1;) > > > > *7. **WEB-PHP Joomla com_musicgallery Component Id Parameter > DELETE FROM SQL Injection Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_musicgallery&"; nocase; > uricontent:"&task=itempage"; nocase; uricontent:"Id="; nocase; > uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; > pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; > reference:bugtraq,37146; > reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; > sid:9730; rev:1;) > > > > *8. **WEB-PHP Joomla com_musicgallery Component Id Parameter UNION > SELECT SQL Injection Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_musicgallery Component Id Parameter UNION SELECT SQL > Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_musicgallery&"; nocase; > uricontent:"&task=itempage"; nocase; uricontent:"Id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,37146; > reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; > sid:9731; rev:1;) > > > > *9. **WEB-PHP Joomla com_musicgallery Component Id Parameter > INSERT INTO SQL Injection Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_musicgallery&"; nocase; > uricontent:"&task=itempage"; nocase; uricontent:"Id="; nocase; > uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; > pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; > reference:bugtraq,37146; > reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; > sid:9732; rev:1;) > > > > *10. **WEB-PHP Joomla com_musicgallery Component Id Parameter UPDATE > SET SQL Injection Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_musicgallery&"; nocase; > uricontent:"&task=itempage"; nocase; uricontent:"Id="; nocase; > uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; > pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; > reference:bugtraq,37146; > reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; > sid:9733; rev:1;) > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dn1nj4 at shadowserver.org Mon Feb 1 13:30:25 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Mon, 01 Feb 2010 10:30:25 -0800 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> Message-ID: <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> After a thorough review of captures from another 40 Zbot samples this AM, I see two additional, consistent request types: GET /1cfg.bin HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: Pragma: no-cache GET /conf.sts HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: Pragma: no-cache And one outlier (only 1 sample that did this)... GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: www.rusibank.com Pragma: no-cache The rule I'm running locally to catch everything I've seen thus far, minus the outlier: alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; classtype:trojan-activity; reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999; rev:3;) Thoughts? dn1nj4 On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 wrote: > I just ran across another Zbot sample with the following header: > > GET /immagini/eg.bin HTTP/1.1 > Accept: */* > Connection: Close > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > Host: www.ato5enna.it > Pragma: no-cache > > Would it be better to drop the Win32 and add eg.bin to the pcre or create > an entirely different signature? Also, classifcation should be classtype. > > dn1nj4 > >> Date: Mon, 01 Feb 2010 06:47:43 -0800 >> From: dn1nj4 >> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 >> To: >> Message-ID: >> Content-Type: text/plain; charset="UTF-8" >> >> Thanks for the feedback. Drawing on evilghost and Mike's > recommendations: >> >> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >> 0a|"; content:!"|0d 0a|Referrer|3a|"; >> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >> classification:trojan-activity; reference:url, >> > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; >> sid:2010xxx; rev:3;) From phatbuckett at gmail.com Mon Feb 1 13:48:34 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 1 Feb 2010 11:48:34 -0700 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In(DHLSPAM/Malware Campaign) In-Reply-To: <4B66E1A4.6090000@packetmail.net> References: <4B619E79.20609@packetmail.net> <4B619FDD.6020706@packetmail.net> <839aec701001281322m63805705k422412d4bc715983@mail.gmail.com> <4B620E9C.4060407@packetmail.net> <4B630BBF.8070300@jonkmans.com> <6116b9e21001290943w4faf7c7dm85e0a5dd13c3a5f6@mail.gmail.com> <4B634C56.4030608@packetmail.net> <4B66E1A4.6090000@packetmail.net> Message-ID: <839aec701002011048o5e964a43t39dc9f7658999301@mail.gmail.com> Check out my 2 most recent emails on this thread and comment, if you don't mind. The below sig won't match reliably ('b' parameter wrong, first parameter varies between 'id' and 'v', etc.) DS On Mon, Feb 1, 2010 at 7:13 AM, evilghost at packetmail.net wrote: > As time progresses the volume of false positives seems to increase, I'm > seeing this against Fox Sports as well. ?I recommend we revert to the > original proposed signature, with minor changes, inclusive of the PCRE > to anchor cast, to eliminate the FPs. ?As of now the FP rate is too high > to reliably use the signature. ?Thoughts? > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Check-in"; > flow:established,to_server; > content:!"|0d 0a|Referer\: "; nocase; > content:!"|0d 0a|Accept-Encoding\: "; nocase; > uricontent:".php?v="; nocase; uricontent:"&id=; nocase; uricontent:"&b="; > nocase; uricontent:"&tm="; nocase; > pcre:"/\.php\?v=\d+&id=\d+&b=[a-z]+&tm=\d+/Ui"; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010xxx; rev:1); > > > > -evilghost > > > > evilghost at packetmail.net wrote: >> I am seeing this as well, falsing against ads. ?Can we consider using >> the original signature with the PCRE and strict ordering? >> >> Mike Cox wrote: >> >>> I like this rule but it is falsing a lot for things like ads. ?As much as I >>> hate to say it, perhaps we need to use a PCRE and enforce strict URI >>> parameter order.... >>> >>> -Mike Cox >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Mon Feb 1 13:59:36 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 1 Feb 2010 11:59:36 -0700 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> Message-ID: <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> ZeuS/Zbot config and dropzone URLs are all over the place and don't follow a standard convention (they're configurable on the server/builder side). You could argue that they're appropriate for current events detection at best, probably. Examples: https://zeustracker.abuse.ch/monitor.php?browse=configs DS. On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 wrote: > After a thorough review of captures from another 40 Zbot samples this AM, I > see two additional, consistent request types: > > GET /1cfg.bin HTTP/1.0 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > Host: > Pragma: no-cache > > GET /conf.sts HTTP/1.1 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > Host: > Pragma: no-cache > > And one outlier (only 1 sample that did this)... > > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > Host: www.rusibank.com > Pragma: no-cache > > The rule I'm running locally to catch everything I've seen thus far, minus > the outlier: > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; > classtype:trojan-activity; > reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999; > rev:3;) > > Thoughts? > > dn1nj4 > > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 wrote: >> I just ran across another Zbot sample with the following header: >> >> GET /immagini/eg.bin HTTP/1.1 >> Accept: */* >> Connection: Close >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) >> Host: www.ato5enna.it >> Pragma: no-cache >> >> Would it be better to drop the Win32 and add eg.bin to the pcre or create >> an entirely different signature? ?Also, classifcation should be > classtype. >> >> dn1nj4 >> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >>> From: dn1nj4 >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 >>> To: >>> Message-ID: >>> Content-Type: text/plain; charset="UTF-8" >>> >>> Thanks for the feedback. ?Drawing on evilghost and Mike's >> recommendations: >>> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >>> classification:trojan-activity; reference:url, >>> >> > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; >>> sid:2010xxx; rev:3;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From mike.cox52 at gmail.com Mon Feb 1 14:47:30 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 1 Feb 2010 13:47:30 -0600 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> Message-ID: <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> I sent this last week but it never made it thru to the list (maybe it got spam filtered because of the link?). I am seeing FPs on strings like this (you will need to base64 decode it) Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== So I say we try no PCRE (yet) but use '&' on some of the parameters. We would only need two rules then: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010743; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"id="; nocase; uricontent:"&v="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010xxx; rev:1;) -Mike Cox On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell wrote: > ZeuS/Zbot config and dropzone URLs are all over the place and don't > follow a standard convention (they're configurable on the > server/builder side). You could argue that they're appropriate for > current events detection at best, probably. > > Examples: > > https://zeustracker.abuse.ch/monitor.php?browse=configs > > DS. > > On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 wrote: > > After a thorough review of captures from another 40 Zbot samples this AM, > I > > see two additional, consistent request types: > > > > GET /1cfg.bin HTTP/1.0 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: > > Pragma: no-cache > > > > GET /conf.sts HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: > > Pragma: no-cache > > > > And one outlier (only 1 sample that did this)... > > > > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: www.rusibank.com > > Pragma: no-cache > > > > The rule I'm running locally to catch everything I've seen thus far, > minus > > the outlier: > > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d > > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; > > > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; > > classtype:trojan-activity; > > reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > ; > > rev:3;) > > > > Thoughts? > > > > dn1nj4 > > > > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 > wrote: > >> I just ran across another Zbot sample with the following header: > >> > >> GET /immagini/eg.bin HTTP/1.1 > >> Accept: */* > >> Connection: Close > >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > >> Host: www.ato5enna.it > >> Pragma: no-cache > >> > >> Would it be better to drop the Win32 and add eg.bin to the pcre or > create > >> an entirely different signature? Also, classifcation should be > > classtype. > >> > >> dn1nj4 > >> > >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 > >>> From: dn1nj4 > >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 > >>> To: > >>> Message-ID: > >>> Content-Type: text/plain; charset="UTF-8" > >>> > >>> Thanks for the feedback. Drawing on evilghost and Mike's > >> recommendations: > >>> > >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d > >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d > >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; > >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > >>> classification:trojan-activity; reference:url, > >>> > >> > > > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > ; > >>> sid:2010xxx; rev:3;) > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > -- > Darren Spruell > phatbuckett at gmail.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/bc1b2215/attachment.html From mike.cox52 at gmail.com Mon Feb 1 14:49:15 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 1 Feb 2010 13:49:15 -0600 Subject: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download Request In-Reply-To: <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> Message-ID: <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> Whoops, I responded to the wrong thread. This should have been for the Oficla thread. Sorry about that. --Mike Cox On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox wrote: > I sent this last week but it never made it thru to the list (maybe it got > spam filtered because of the link?). I am seeing FPs on strings like this > (you will need to base64 decode it) > > > Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== > > So I say we try no PCRE (yet) but use '&' on some of the parameters. We > would only need two rules then: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla > Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; > nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; > uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; > nocase; classtype:trojan-activity; reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010743; rev:2;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla > Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; > nocase; uricontent:".php?"; nocase; uricontent:"id="; nocase; > uricontent:"&v="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; > nocase; classtype:trojan-activity; reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010xxx; rev:1;) > > -Mike Cox > > > On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell wrote: > >> ZeuS/Zbot config and dropzone URLs are all over the place and don't >> follow a standard convention (they're configurable on the >> server/builder side). You could argue that they're appropriate for >> current events detection at best, probably. >> >> Examples: >> >> https://zeustracker.abuse.ch/monitor.php?browse=configs >> >> DS. >> >> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 wrote: >> > After a thorough review of captures from another 40 Zbot samples this >> AM, I >> > see two additional, consistent request types: >> > >> > GET /1cfg.bin HTTP/1.0 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: >> > Pragma: no-cache >> > >> > GET /conf.sts HTTP/1.1 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: >> > Pragma: no-cache >> > >> > And one outlier (only 1 sample that did this)... >> > >> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: www.rusibank.com >> > Pragma: no-cache >> > >> > The rule I'm running locally to catch everything I've seen thus far, >> minus >> > the outlier: >> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >> > >> pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >> > classtype:trojan-activity; >> > reference:url, >> www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >> ; >> > rev:3;) >> > >> > Thoughts? >> > >> > dn1nj4 >> > >> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >> wrote: >> >> I just ran across another Zbot sample with the following header: >> >> >> >> GET /immagini/eg.bin HTTP/1.1 >> >> Accept: */* >> >> Connection: Close >> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) >> >> Host: www.ato5enna.it >> >> Pragma: no-cache >> >> >> >> Would it be better to drop the Win32 and add eg.bin to the pcre or >> create >> >> an entirely different signature? Also, classifcation should be >> > classtype. >> >> >> >> dn1nj4 >> >> >> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >> >>> From: dn1nj4 >> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 2 >> >>> To: >> >>> Message-ID: >> >>> Content-Type: text/plain; charset="UTF-8" >> >>> >> >>> Thanks for the feedback. Drawing on evilghost and Mike's >> >> recommendations: >> >>> >> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >> >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >> >>> classification:trojan-activity; reference:url, >> >>> >> >> >> > >> www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >> ; >> >>> sid:2010xxx; rev:3;) >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > >> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> > >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > >> >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/a4a9d51c/attachment-0001.html From jason.weir at nhrs.org Mon Feb 1 15:06:52 2010 From: jason.weir at nhrs.org (jason.weir@nhrs.org) Date: 1 Feb 2010 15:06:52 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update Message-ID: MalewareURL.com Data Contains 95324 Entries - Here are the top 30 (28410) # Signature URI Count Description ---------------------------------------------------------------------------------------- 1 2010716 wywg/chd/slkopwt.exe 947 trojan onlinegames 2 2010716 wywg/cqwz/sqkiwg.exe 947 trojan onlinegames 3 2010716 wywg/mxd/mioslwer.exe 947 trojan onlinegames 4 2010716 wywg/my/myxyjgj.exe 947 trojan onlinegames 5 2010716 wywg/mssj/constant.exe 947 trojan onlinegames 6 2010716 wywg/chd/lpspwt67.exe 947 trojan onlinegames 7 2010716 wywg/txer/sitoswd.exe 947 trojan onlinegames 8 2010716 wywg/dxcys/ordinary.exe 947 trojan onlinegames 9 2010716 wywg/txer/downower.exe 947 trojan onlinegames 10 2010716 wywg/dh2/barley.exe 947 trojan onlinegames 11 2010716 wywg/wmgj/p9pj21.exe 947 trojan onlinegames 12 2010716 wywg/mssj/stress.exe 947 trojan onlinegames 13 2010716 wywg/jxqy3/jxkdk.exe 947 trojan onlinegames 14 2010716 wywg/wlwz/ffwg1022.exe 947 trojan onlinegames 15 2010716 wywg/cqwz/mfwgsw.exe 947 trojan onlinegames 16 2010716 wywg/mssj/brittle.exe 947 trojan onlinegames 17 2010716 wywg/rxcq/permin.exe 947 trojan onlinegames 18 2010716 wywg/dxcys/Wilhelm.exe 947 trojan onlinegames 19 2010716 wywg/rxcq/market.exe 947 trojan onlinegames 20 2010716 wywg/zx/zwwghg.exe 947 trojan onlinegames 21 2010716 wywg/mxd/kpske3.exe 947 trojan onlinegames 22 2010716 wywg/chd/opaslf.exe 947 trojan onlinegames 23 2010716 wywg/yhzt/yhztzxieiai.exe 947 trojan onlinegames 24 2010716 wywg/dxcys/peasant.exe 947 trojan onlinegames 25 2010716 wywg/rxcq/geoloal.exe 947 trojan onlinegames 26 2010716 wywg/wmgj/wmdtgjg.exe 947 trojan onlinegames 27 2010716 wywg/hx2/handfu.exe 947 trojan onlinegames 28 2010716 wywg/qqhx/abdomen.exe 947 trojan onlinegames 29 2010716 wywg/cqsj/allowed.exe 947 trojan onlinegames 30 2010716 wywg/zx/dtgjwi2.exe 947 trojan onlinegames From emerging at emergingthreats.net Mon Feb 1 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 1 Feb 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100201210014.687A04502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Feb 1 16:00:14 2010 [***] [+++] Added rules: [+++] 2010745 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt (emerging-web_specific_apps.rules) 2010746 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt (emerging-web_specific_apps.rules) 2010747 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt (emerging-web_specific_apps.rules) 2010748 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt (emerging-web_specific_apps.rules) 2010749 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt (emerging-web_specific_apps.rules) 2010750 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010751 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010752 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010753 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010754 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (34): 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (34): 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From kevross33 at googlemail.com Mon Feb 1 16:42:48 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 1 Feb 2010 21:42:48 +0000 Subject: [Emerging-Sigs] SIG: IBM DB2 kuddb2 Remote Denial of Service Attempt Message-ID: alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; classtype:attempted-dos; reference:url, www.securityfocus.com/bid/38018; reference:url, intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; sid:130000001; rev:1;) Only 5 bytes sent to kuddb2 port is needed to crash it. Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/7a23ffc8/attachment.html From eslerj at gmail.com Mon Feb 1 16:44:56 2010 From: eslerj at gmail.com (Joel Esler) Date: Mon, 1 Feb 2010 16:44:56 -0500 Subject: [Emerging-Sigs] SIG: IBM DB2 kuddb2 Remote Denial of Service Attempt In-Reply-To: References: Message-ID: This is a perfect example of the difference between flow and variables. Anyone that doesn't understand flow should read this rule. J On Feb 1, 2010, at 4:42 PM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; sid:130000001; rev:1;) > > Only 5 bytes sent to kuddb2 port is needed to crash it. > > Kev > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- Joel Esler 302-223-5974 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100201/a4cd07fd/attachment-0001.html From r.fulton at auckland.ac.nz Mon Feb 1 18:09:12 2010 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Tue, 2 Feb 2010 12:09:12 +1300 Subject: [Emerging-Sigs] 2010347 & 2010552 seem to be targeting same activity Message-ID: GET /hitin.php?land=20&affid=92800 one sig targets the 'hitin' the other targets the parameters.... Russell From deapesh at gmail.com Tue Feb 2 00:03:43 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Tue, 2 Feb 2010 00:03:43 -0500 Subject: [Emerging-Sigs] Yahlover worm sig Message-ID: <22b0e07b1002012103k695788cev264ee9c5a67832b0@mail.gmail.com> The signature for Yahlover worm (sid: 2010458) seems to be very similar to the following Win32 Dialer Trojan signatures: 2008441 2010603 and possibly related to sigs: 2008490 2008430 Seems to me that 2010458 should also be categorized as a sig for Win32 Dialer trojan activity (unless anybody else has more information). -Deapesh. From mail at mare-system.de Tue Feb 2 06:41:21 2010 From: mail at mare-system.de (mex) Date: Tue, 02 Feb 2010 12:41:21 +0100 Subject: [Emerging-Sigs] Strange GET - Requests Message-ID: <4B680F61.6070703@mare-system.de> some time ago i had to face some nasty ddos with lots of GET-Requests like this: GET blih.blah.blub.php nothing more, that seems to be similar to a ddos like described in the following blog (german, but should work with google-translate) http://burnachurch.com/74/ddos-abwehr-mit-apaches-mod_security2/ # HTTP-GET w/out slash alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; classtype:attempted-recon; sid:11220082; rev:1;) strangely enough, the rule catches stuff like the following: GET http://img1.mypets.ws/img-32025.jpg HTTP/1.1 User-Agent: webcollage/1.135a Host: img1.mypets.ws UA webcollage seems to be not harmfull: http://www.useragentstring.com/pages/webcollage/ but i wonder why this is in my logs. mex From spooker at gmail.com Tue Feb 2 07:39:36 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Tue, 2 Feb 2010 10:39:36 -0200 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B680F61.6070703@mare-system.de> References: <4B680F61.6070703@mare-system.de> Message-ID: <9255886c1002020439u438e4591m3f98cc1900ac8891@mail.gmail.com> Probably somebody looking for a open proxy . On Tue, Feb 2, 2010 at 9:41 AM, mex wrote: > > some time ago i had to face some nasty ddos > with lots of GET-Requests like this: > GET blih.blah.blub.php > nothing more, that seems to be similar to a > ddos like described in the following blog > (german, but should work with google-translate) > http://burnachurch.com/74/ddos-abwehr-mit-apaches-mod_security2/ > > # HTTP-GET w/out slash > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; ?classtype:attempted-recon; ?sid:11220082; rev:1;) > > > > strangely enough, the rule catches stuff like the following: > > GET http://img1.mypets.ws/img-32025.jpg HTTP/1.1 > User-Agent: webcollage/1.135a > Host: img1.mypets.ws > > UA webcollage seems to be not harmfull: > http://www.useragentstring.com/pages/webcollage/ > > > but i wonder why this is in my logs. > > > > mex > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From jonkman at jonkmans.com Tue Feb 2 08:22:44 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Feb 2010 08:22:44 -0500 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B680F61.6070703@mare-system.de> References: <4B680F61.6070703@mare-system.de> Message-ID: <4B682724.4090605@jonkmans.com> It's likely legitimate to have a GET without a leading slash. I don't think we can sig that. Too many FPs. The one with the http:// in it was a proxy request. Also legit. That useragent on the sample is interesting. You know what it is? Matt On 2/2/10 6:41 AM, mex wrote: > > some time ago i had to face some nasty ddos > with lots of GET-Requests like this: > GET blih.blah.blub.php > nothing more, that seems to be similar to a > ddos like described in the following blog > (german, but should work with google-translate) > http://burnachurch.com/74/ddos-abwehr-mit-apaches-mod_security2/ > > # HTTP-GET w/out slash > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; classtype:attempted-recon; sid:11220082; rev:1;) > > > > strangely enough, the rule catches stuff like the following: > > GET http://img1.mypets.ws/img-32025.jpg HTTP/1.1 > User-Agent: webcollage/1.135a > Host: img1.mypets.ws > > UA webcollage seems to be not harmfull: > http://www.useragentstring.com/pages/webcollage/ > > > but i wonder why this is in my logs. > > > > mex > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mail at mare-system.de Tue Feb 2 09:00:00 2010 From: mail at mare-system.de (mex) Date: Tue, 02 Feb 2010 15:00:00 +0100 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B682724.4090605@jonkmans.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> Message-ID: <4B682FE0.8060309@mare-system.de> # HTTP-GET Proxy Request alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER GET - Proxy-Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"http\://"; within:8; nocase; classtype:attempted-recon; sid:11220083; rev:1;) you always make me study the rfcs ;-) for as far as i read in rfc2616-sec5 a GET-Request (beside a proxy-request) needs to have a leading slash: --- snip --------------------- The most common form of Request-URI is that used to identify a resource on an origin server or gateway. In this case the **absolute path** of the URI **MUST** be transmitted (see section 3.2.1, abs_path) as the Request-URI, and the network location of the URI (authority) MUST be transmitted in a Host header field. For example, a client wishing to retrieve the resource above directly from the origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the lines: GET /pub/WWW/TheProject.html HTTP/1.1 Host: www.w3.org followed by the remainder of the Request. Note that the absolute path cannot be empty; if none is present in the original URI, it MUST be given as "/" (the server root). http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html --- snap ------------------------ for me an abs_path always starts with a / when i $ telnet myserver.moc 80 GET index.html HTTP/1.0 HTTP/1.1 400 Bad Request Date: Tue, 02 Feb 2010 13:32:14 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 Vary: Accept-Encoding Content-Length: 405 Connection: close Content-Type: text/html; charset=iso-8859-1 400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.
my server answers with error 400 bad request. i think such broken requests will never come from legit browsers, more from scanners/attack-tools and poorly coded small apps. but you're rigt, this might fp under certain circumstances, like proxy-abuse ... this leads me to the above sig: as i played with telnet and GET no rule fired anyway, so i created the one above; maybe it'll false too ... regarding the user-agent: http://www.useragentstring.com/pages/webcollage/ Matt Jonkman wrote: > It's likely legitimate to have a GET without a leading slash. I don't > think we can sig that. Too many FPs. > > The one with the http:// in it was a proxy request. Also legit. > > That useragent on the sample is interesting. You know what it is? > > Matt > From kevross33 at googlemail.com Tue Feb 2 09:31:25 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 2 Feb 2010 14:31:25 +0000 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: <4B6834EA.8030306@jonkmans.com> References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> Message-ID: I was always unsure if snortsam can also support ASA firewalls (similar command set for shuns anyway but ACL syntax is a bit different). On 2 February 2010 14:21, Matt Jonkman wrote: > I'd like to reinforce that we're definitely considering that, and ideas > are very welcome. > > At the very minimum we'll work to make suricata snortsam compatible. But > it's very possible that we'll move some of that snortsam functionality > into the suricata engine itself under the IP Reputation umbrella. > > Do you see more detailed or more expansive functionality that snortsam > of interest, or do you have more ideas there? > > Matt > > On 2/2/10 5:04 AM, carlopmart wrote: > > Victor Julien wrote: > >> carlopmart wrote: > >>> Victor Julien wrote: > >>>> carlopmart wrote: > >>>>> Hi all, > >>>>> > >>>>> Will be Suricata IDS/IPS interoperable with commercial firewalls > like StoneGate or > >>>>> CheckPoint Firewall-1 on future releases?? > >>>> Currently we have no interoperability with those. What kind of > >>>> functionality are you looking for? Something similar to Snortsam? > >>>> > >>>> Cheers, > >>>> Victor > >>>> > >>> Yes, correct like snortsam does or similar ... > >> > >> Ideas do exist to do something similar to Snortsam, but those haven't > >> left the ideas stage yet. We have quite a bit of work to do on the > >> engine itself first. > >> > >> Cheers, > >> Victor > >> > > > > Thanks, victor. > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Oisf-users mailing list > Oisf-users at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100202/0e42edf4/attachment.html From jeff-kell at utc.edu Tue Feb 2 09:37:18 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 02 Feb 2010 09:37:18 -0500 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> Message-ID: <4B68389E.6020708@utc.edu> On 2/2/2010 9:31 AM, Kevin Ross wrote: > I was always unsure if snortsam can also support ASA firewalls > (similar command set for shuns anyway but ACL syntax is a bit different). It certainly works with ASAs if you use the PIX plugin, you essentially get shuns. It would not work as-is with the router ACL / null-route plugins. I seem to recall a minor tweak to work around a minor inconsistency between ASA/PIX behavior, but that should have been incorporated into the source some time ago (Frank?). I've been using it with ASAs for years. Jeff From william.metcalf at gmail.com Tue Feb 2 09:43:37 2010 From: william.metcalf at gmail.com (Will Metcalf) Date: Tue, 2 Feb 2010 08:43:37 -0600 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: <4B68389E.6020708@utc.edu> References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> <4B68389E.6020708@utc.edu> Message-ID: One thing that snortsam is lacking that I think keeps it from being deployed in a lot of places (at least the places I've been) is support for ssh, so whatever we come up needs to support this I think. Regards, Will On Tue, Feb 2, 2010 at 8:37 AM, Jeff Kell wrote: > On 2/2/2010 9:31 AM, Kevin Ross wrote: > > I was always unsure if snortsam can also support ASA firewalls > > (similar command set for shuns anyway but ACL syntax is a bit different). > > It certainly works with ASAs if you use the PIX plugin, you essentially > get shuns. It would not work as-is with the router ACL / null-route > plugins. > > I seem to recall a minor tweak to work around a minor inconsistency > between ASA/PIX behavior, but that should have been incorporated into > the source some time ago (Frank?). > > I've been using it with ASAs for years. > > Jeff > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100202/730aa9e1/attachment.html From jason.weir at nhrs.org Tue Feb 2 12:11:02 2010 From: jason.weir at nhrs.org (Weir, Jason) Date: Tue, 2 Feb 2010 12:11:02 -0500 Subject: [Emerging-Sigs] Inbound Bad Email Attachments Message-ID: Couple updates to the DHL sig (2010148) and 2 new ones I started seeing this morning DHL_document_Nr17124.zip DHL_Label_97c78.zip Invitation Card.zip Shipping documents.zip Would the sig below work for the DHL attachments - 2010148 - working on my sig skills, basically changed the pcre from pcre:"/filename\s*=\s*"DHL_(package_label_|print_label_).....\.zip/m"; to pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ )(.....|.......)\.zip/m"; alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"DHL_"; within:50; pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ )(.....|.......)\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EV ENTS/CURRENT_DHL; sid:2010148; rev:5;) Two new ones - not sure how to incorporate both of those in 1 sig and still use content match.. School me.. Jason _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From phatbuckett at gmail.com Tue Feb 2 13:17:31 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 11:17:31 -0700 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: <1261606352.34379.74.camel@localhost> References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> Message-ID: <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> On Wed, Dec 23, 2009 at 3:12 PM, Frank Knobbe wrote: > On Wed, 2009-12-23 at 16:07 -0600, Mike Cox wrote: >> SID 2010347 will alert on most cases but is not the same as the >> proposed rule. ?Similar "dupes" exit with 2010347 and 2010552, but I >> personally think that maintaining defense in depth adroitness is >> prudent and wise. > > Oh I'm all for defense in depth. At the same time we should strive to > avoid duplicates. If there are two sigs that alert on the same thing, we > should combine them into one. > > If your rule alerts on more Fake A/V than 2010347, and there aren't > cases where 2010347 would alert but not yours, then we should drop > 2010347 and use yours. When I put 2010347 together I intentionally left 'hitin.php' out of the picture because the fakeAVs have been a bit of a moving target and I didn't want to risk FNs should the page names change or become variable (as we've seen happen with a few HTTP C&C cases). If this were to happen we'd be out detection if not flagging the parameter-laden requests sans page name. That said, it's been my assumption that while the full scope of requests handled by /hitin.php would not be picked up by 2010347 that at some point in the infection chain every client will make that request at least once, giving a reliable detection. My view has been that it's not critical to pick up every request but rather flag on at least a single reliable indicator per compromise. -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Tue Feb 2 13:23:38 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 11:23:38 -0700 Subject: [Emerging-Sigs] 2010347 & 2010552 seem to be targeting same activity In-Reply-To: References: Message-ID: <839aec701002021023yf48c1t3b12c57ee53937e3@mail.gmail.com> On Mon, Feb 1, 2010 at 4:09 PM, Russell Fulton wrote: > > > GET /hitin.php?land=20&affid=92800 > > one sig targets the 'hitin' the other targets the parameters.... Looks like a few opportunities for FPs exist with matching exclusively on '/hitin.php' as well; http://www.google.com/search?hl=en&q=inurl%3A%2Fhitin.php+-inurl%3Aland+-inurl%3Aaffid&aq=f&aqi=&oq= E.g. http://www.rankingportal.net/hitin.php?id=coverxp http://tiensrus.ru/article/hitin.php http://www.freeshards-uo.de/hitin.php?ID=15 See also http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-February/005977.html -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Tue Feb 2 13:07:32 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Feb 2010 13:07:32 -0500 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B682FE0.8060309@mare-system.de> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <4B682FE0.8060309@mare-system.de> Message-ID: <4B6869E4.2060105@jonkmans.com> You're definitely right there! Thanks for doing the research I should have before disagreeing. :) That sig will also have to take into account other types of protocols, like ftp://, rtsp://, https://, any number of things. if we can defeat that then it'd be good to add to the ruleset! Matt On 2/2/10 9:00 AM, mex wrote: > > # HTTP-GET Proxy Request > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER GET - Proxy-Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"http\://"; within:8; nocase; classtype:attempted-recon; sid:11220083; rev:1;) > > > you always make me study the rfcs ;-) > > for as far as i read in rfc2616-sec5 a GET-Request > (beside a proxy-request) needs to have a leading slash: > > --- snip --------------------- > > The most common form of Request-URI is that used to identify a > resource on an origin server or gateway. In this case the > **absolute path** of the URI **MUST** be transmitted > (see section 3.2.1, abs_path) as the Request-URI, and the > network location of the URI (authority) MUST be transmitted in a > Host header field. For example, a client wishing to retrieve the > resource above directly from the origin server would create a > TCP connection to port 80 of the host "www.w3.org" and send the lines: > > GET /pub/WWW/TheProject.html HTTP/1.1 > Host: www.w3.org > > followed by the remainder of the Request. Note that the absolute path > cannot be empty; if none is present in the original URI, it MUST be > given as "/" (the server root). > > http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html > --- snap ------------------------ > > for me an abs_path always starts with a / > > when i > $ telnet myserver.moc 80 > GET index.html HTTP/1.0 > > > HTTP/1.1 400 Bad Request > Date: Tue, 02 Feb 2010 13:32:14 GMT > Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 > Vary: Accept-Encoding > Content-Length: 405 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > > > 400 Bad Request > >

Bad Request

>

Your browser sent a request that this server could not understand.
> > my server answers with error 400 bad request. > > > i think such broken requests will never come from legit > browsers, more from scanners/attack-tools and poorly coded > small apps. > > but you're rigt, this might fp under certain circumstances, like > proxy-abuse ... this leads me to the above sig: as i played with telnet > and GET no rule fired anyway, so i created the one above; maybe > it'll false too ... > > > regarding the user-agent: > http://www.useragentstring.com/pages/webcollage/ > > > > > > Matt Jonkman wrote: >> It's likely legitimate to have a GET without a leading slash. I don't >> think we can sig that. Too many FPs. >> >> The one with the http:// in it was a proxy request. Also legit. >> >> That useragent on the sample is interesting. You know what it is? >> >> Matt >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Feb 2 13:12:53 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Feb 2010 13:12:53 -0500 Subject: [Emerging-Sigs] Yahlover worm sig In-Reply-To: <22b0e07b1002012103k695788cev264ee9c5a67832b0@mail.gmail.com> References: <22b0e07b1002012103k695788cev264ee9c5a67832b0@mail.gmail.com> Message-ID: <4B686B25.2070907@jonkmans.com> I agree, moved it over and renamed. Thanks Deapesh. Matt On 2/2/10 12:03 AM, Deapesh Misra wrote: > The signature for Yahlover worm (sid: 2010458) seems to be very > similar to the following Win32 Dialer Trojan signatures: > > 2008441 > 2010603 > > and possibly related to sigs: > 2008490 > 2008430 > > Seems to me that 2010458 should also be categorized as a sig for Win32 > Dialer trojan activity (unless anybody else has more information). > > -Deapesh. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Feb 2 13:17:42 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Feb 2010 13:17:42 -0500 Subject: [Emerging-Sigs] SIG: IBM DB2 kuddb2 Remote Denial of Service Attempt In-Reply-To: References: Message-ID: <4B686C46.3080607@jonkmans.com> Posted, thanks! Matt On 2/1/10 4:42 PM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 > kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; > content:"|00 05 03 31 41|"; classtype:attempted-dos; > reference:url,www.securityfocus.com/bid/38018 > ; > reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html > ; > sid:130000001; rev:1;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Feb 2 13:20:43 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Feb 2010 13:20:43 -0500 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> Message-ID: <4B686CFB.6000506@jonkmans.com> Great discussion! Can I ask for a final sig from the working group here then? :) Which will be the way to go? (sorry, I'm time-bandwidth limited this week so can't really hop in to slug it out for a few days) Matt On 2/1/10 2:49 PM, Mike Cox wrote: > Whoops, I responded to the wrong thread. This should have been for the > Oficla thread. Sorry about that. > > --Mike Cox > > On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox > wrote: > > I sent this last week but it never made it thru to the list (maybe > it got spam filtered because of the link?). I am seeing FPs on > strings like this (you will need to base64 decode it) > > Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== > > So I say we try no PCRE (yet) but use '&' on some of the > parameters. We would only need two rules then: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > uricontent:"v="; nocase; uricontent:"&id="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > ; > sid:2010743; rev:2;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > uricontent:"id="; nocase; uricontent:"&v="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > ; > sid:2010xxx; rev:1;) > > -Mike Cox > > > On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell > > wrote: > > ZeuS/Zbot config and dropzone URLs are all over the place and don't > follow a standard convention (they're configurable on the > server/builder side). You could argue that they're appropriate for > current events detection at best, probably. > > Examples: > > https://zeustracker.abuse.ch/monitor.php?browse=configs > > DS. > > On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 > wrote: > > After a thorough review of captures from another 40 Zbot > samples this AM, I > > see two additional, consistent request types: > > > > GET /1cfg.bin HTTP/1.0 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: > > Pragma: no-cache > > > > GET /conf.sts HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: > > Pragma: no-cache > > > > And one outlier (only 1 sample that did this)... > > > > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > > Host: www.rusibank.com > > Pragma: no-cache > > > > The rule I'm running locally to catch everything I've seen > thus far, minus > > the outlier: > > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET TROJAN > > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d > > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; > > > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; > > classtype:trojan-activity; > > > reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > ; > > rev:3;) > > > > Thoughts? > > > > dn1nj4 > > > > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 > > wrote: > >> I just ran across another Zbot sample with the following header: > >> > >> GET /immagini/eg.bin HTTP/1.1 > >> Accept: */* > >> Connection: Close > >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1) > >> Host: www.ato5enna.it > >> Pragma: no-cache > >> > >> Would it be better to drop the Win32 and add eg.bin to the > pcre or create > >> an entirely different signature? Also, classifcation should be > > classtype. > >> > >> dn1nj4 > >> > >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 > >>> From: dn1nj4 > > >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, > Issue 2 > >>> To: > > >>> Message-ID: > > > >>> Content-Type: text/plain; charset="UTF-8" > >>> > >>> Thanks for the feedback. Drawing on evilghost and Mike's > >> recommendations: > >>> > >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET TROJAN > >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; > content:"|0d > >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d > >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; > >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > >>> classification:trojan-activity; reference:url, > >>> > >> > > > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > ; > >>> sid:2010xxx; rev:3;) > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > Mugs and Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > -- > Darren Spruell > phatbuckett at gmail.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Tue Feb 2 13:34:01 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 2 Feb 2010 12:34:01 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <4B686CFB.6000506@jonkmans.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> Message-ID: <4B687019.4020001@packetmail.net> My vote - Try the Mike Cox signatures, if they false like the current Oficla is, then we revert to a PCRE with ordering and write multiple signatures to account for the ordering differences that Darren identified. These would be: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010743; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"id="; nocase; uricontent:"&v="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010xxx; rev:1;) -evilghost Matt Jonkman wrote: > Great discussion! Can I ask for a final sig from the working group here > then? :) > > Which will be the way to go? (sorry, I'm time-bandwidth limited this > week so can't really hop in to slug it out for a few days) > > Matt > > On 2/1/10 2:49 PM, Mike Cox wrote: > >> Whoops, I responded to the wrong thread. This should have been for the >> Oficla thread. Sorry about that. >> >> --Mike Cox >> >> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox > > wrote: >> >> I sent this last week but it never made it thru to the list (maybe >> it got spam filtered because of the link?). I am seeing FPs on >> strings like this (you will need to base64 decode it) >> >> Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== >> >> So I say we try no PCRE (yet) but use '&' on some of the >> parameters. We would only need two rules then: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >> uricontent:"v="; nocase; uricontent:"&id="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >> ; >> sid:2010743; rev:2;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >> uricontent:"id="; nocase; uricontent:"&v="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >> ; >> sid:2010xxx; rev:1;) >> >> -Mike Cox >> >> >> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell >> > wrote: >> >> ZeuS/Zbot config and dropzone URLs are all over the place and don't >> follow a standard convention (they're configurable on the >> server/builder side). You could argue that they're appropriate for >> current events detection at best, probably. >> >> Examples: >> >> https://zeustracker.abuse.ch/monitor.php?browse=configs >> >> DS. >> >> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 > > wrote: >> > After a thorough review of captures from another 40 Zbot >> samples this AM, I >> > see two additional, consistent request types: >> > >> > GET /1cfg.bin HTTP/1.0 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: >> > Pragma: no-cache >> > >> > GET /conf.sts HTTP/1.1 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: >> > Pragma: no-cache >> > >> > And one outlier (only 1 sample that did this)... >> > >> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >> > Accept: */* >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >> > Host: www.rusibank.com >> > Pragma: no-cache >> > >> > The rule I'm running locally to catch everything I've seen >> thus far, minus >> > the outlier: >> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET TROJAN >> > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >> > >> pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >> > classtype:trojan-activity; >> > >> reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >> ; >> > rev:3;) >> > >> > Thoughts? >> > >> > dn1nj4 >> > >> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >> > wrote: >> >> I just ran across another Zbot sample with the following header: >> >> >> >> GET /immagini/eg.bin HTTP/1.1 >> >> Accept: */* >> >> Connection: Close >> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >> 5.1; SV1) >> >> Host: www.ato5enna.it >> >> Pragma: no-cache >> >> >> >> Would it be better to drop the Win32 and add eg.bin to the >> pcre or create >> >> an entirely different signature? Also, classifcation should be >> > classtype. >> >> >> >> dn1nj4 >> >> >> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >> >>> From: dn1nj4 > > >> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, >> Issue 2 >> >>> To: > > >> >>> Message-ID: >> > > >> >>> Content-Type: text/plain; charset="UTF-8" >> >>> >> >>> Thanks for the feedback. Drawing on evilghost and Mike's >> >> recommendations: >> >>> >> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET TROJAN >> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; >> content:"|0d >> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >> >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >> >>> classification:trojan-activity; reference:url, >> >>> >> >> >> > >> www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >> ; >> >>> sid:2010xxx; rev:3;) >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > >> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >> Mugs and Lanyards >> > >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > >> >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >> Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > From mike.cox52 at gmail.com Tue Feb 2 13:41:02 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Tue, 2 Feb 2010 12:41:02 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <4B687019.4020001@packetmail.net> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> Message-ID: <6116b9e21002021041o358a69daw7bebcd0012709f9e@mail.gmail.com> Agreed. The sooner the better. This rule has been falsing a lot since Friday. -Mike Cox On Tue, Feb 2, 2010 at 12:34 PM, evilghost at packetmail.net < evilghost at packetmail.net> wrote: > My vote - Try the Mike Cox signatures, if they false like the current > Oficla is, then we revert to a PCRE with ordering and write multiple > signatures to account for the ordering differences that Darren identified. > > These would be: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla > Checkin"; > flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; > content:!"|0d 0a|Accept-Encoding\: "; nocase; > uricontent:".php?"; nocase; > uricontent:"v="; nocase; uricontent:"&id="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010743; rev:2;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla > Checkin"; > flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; > content:!"|0d 0a|Accept-Encoding\: "; nocase; > uricontent:".php?"; nocase; > uricontent:"id="; nocase; uricontent:"&v="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010xxx; rev:1;) > > > > -evilghost > > Matt Jonkman wrote: > > Great discussion! Can I ask for a final sig from the working group here > > then? :) > > > > Which will be the way to go? (sorry, I'm time-bandwidth limited this > > week so can't really hop in to slug it out for a few days) > > > > Matt > > > > On 2/1/10 2:49 PM, Mike Cox wrote: > > > >> Whoops, I responded to the wrong thread. This should have been for the > >> Oficla thread. Sorry about that. > >> > >> --Mike Cox > >> > >> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox >> > wrote: > >> > >> I sent this last week but it never made it thru to the list (maybe > >> it got spam filtered because of the link?). I am seeing FPs on > >> strings like this (you will need to base64 decode it) > >> > >> > Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== > >> > >> So I say we try no PCRE (yet) but use '&' on some of the > >> parameters. We would only need two rules then: > >> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > >> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; > >> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > >> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > >> uricontent:"v="; nocase; uricontent:"&id="; nocase; > >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >> classtype:trojan-activity; > >> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >> < > http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >; > >> sid:2010743; rev:2;) > >> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > >> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; > >> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > >> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > >> uricontent:"id="; nocase; uricontent:"&v="; nocase; > >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >> classtype:trojan-activity; > >> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >> < > http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >; > >> sid:2010xxx; rev:1;) > >> > >> -Mike Cox > >> > >> > >> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell > >> > wrote: > >> > >> ZeuS/Zbot config and dropzone URLs are all over the place and > don't > >> follow a standard convention (they're configurable on the > >> server/builder side). You could argue that they're appropriate > for > >> current events detection at best, probably. > >> > >> Examples: > >> > >> https://zeustracker.abuse.ch/monitor.php?browse=configs > >> > >> DS. > >> > >> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 < > dn1nj4 at shadowserver.org > >> > wrote: > >> > After a thorough review of captures from another 40 Zbot > >> samples this AM, I > >> > see two additional, consistent request types: > >> > > >> > GET /1cfg.bin HTTP/1.0 > >> > Accept: */* > >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >> > Host: > >> > Pragma: no-cache > >> > > >> > GET /conf.sts HTTP/1.1 > >> > Accept: */* > >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >> > Host: > >> > Pragma: no-cache > >> > > >> > And one outlier (only 1 sample that did this)... > >> > > >> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 > >> > Accept: */* > >> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >> > Host: www.rusibank.com > >> > Pragma: no-cache > >> > > >> > The rule I'm running locally to catch everything I've seen > >> thus far, minus > >> > the outlier: > >> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > >> (msg:"ET TROJAN > >> > Zbot/Zeus Download Request"; content:"GET "; depth:4; > content:"|0d > >> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; > >> > > >> > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; > >> > classtype:trojan-activity; > >> > > >> reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > >> < > http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > >; > >> > rev:3;) > >> > > >> > Thoughts? > >> > > >> > dn1nj4 > >> > > >> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 > >> > > wrote: > >> >> I just ran across another Zbot sample with the following > header: > >> >> > >> >> GET /immagini/eg.bin HTTP/1.1 > >> >> Accept: */* > >> >> Connection: Close > >> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > >> 5.1; SV1) > >> >> Host: www.ato5enna.it > >> >> Pragma: no-cache > >> >> > >> >> Would it be better to drop the Win32 and add eg.bin to the > >> pcre or create > >> >> an entirely different signature? Also, classifcation should > be > >> > classtype. > >> >> > >> >> dn1nj4 > >> >> > >> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 > >> >>> From: dn1nj4 >> > > >> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, > >> Issue 2 > >> >>> To: >> > > >> >>> Message-ID: > >> >> > > >> >>> Content-Type: text/plain; charset="UTF-8" > >> >>> > >> >>> Thanks for the feedback. Drawing on evilghost and Mike's > >> >> recommendations: > >> >>> > >> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > >> (msg:"ET TROJAN > >> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; > >> content:"|0d > >> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d > >> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; > >> >>> > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > >> >>> classification:trojan-activity; reference:url, > >> >>> > >> >> > >> > > >> > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > >> < > http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > >; > >> >>> sid:2010xxx; rev:3;) > >> > > >> > _______________________________________________ > >> > Emerging-sigs mailing list > >> > Emerging-sigs at emergingthreats.net > >> > >> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > >> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > >> Mugs and Lanyards > >> > > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > > >> > >> > >> > >> -- > >> Darren Spruell > >> phatbuckett at gmail.com > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > >> Mugs and Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100202/523af84a/attachment-0001.html From frank at knobbe.us Tue Feb 2 15:22:08 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 02 Feb 2010 14:22:08 -0600 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B682724.4090605@jonkmans.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> Message-ID: <1265142128.53439.56.camel@localhost> On Tue, 2010-02-02 at 08:22 -0500, Matt Jonkman wrote: > It's likely legitimate to have a GET without a leading slash. I don't > think we can sig that. Too many FPs. > > The one with the http:// in it was a proxy request. Also legit. Just extent the within for the not-content match to 8 or so. That should cover it. -Frank > On 2/2/10 6:41 AM, mex wrote: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; classtype:attempted-recon; sid:11220082; rev:1;) From frank at knobbe.us Tue Feb 2 15:37:41 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 02 Feb 2010 14:37:41 -0600 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: <4B68389E.6020708@utc.edu> References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> <4B68389E.6020708@utc.edu> Message-ID: <1265143061.53439.59.camel@localhost> On Tue, 2010-02-02 at 09:37 -0500, Jeff Kell wrote: > It certainly works with ASAs if you use the PIX plugin, you essentially > get shuns. It would not work as-is with the router ACL / null-route > plugins. The NullRoute plugin works fine on routers. I never tried it on ASA, but if they define routes, I don't see why it shouldn't work. The ACL plugin is a bit iffy since it requires the router config file on the Snortsam box. > I seem to recall a minor tweak to work around a minor inconsistency > between ASA/PIX behavior, but that should have been incorporated into > the source some time ago (Frank?). hm... if so it was ages ago :) Yeah, I think there was a tweak regarding prompt recognition. The PIX plugin works fine with any ASA I've encountered. Cheers, Frank From frank at knobbe.us Tue Feb 2 15:40:57 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 02 Feb 2010 14:40:57 -0600 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> <4B68389E.6020708@utc.edu> Message-ID: <1265143257.53439.62.camel@localhost> On Tue, 2010-02-02 at 08:43 -0600, Will Metcalf wrote: > One thing that snortsam is lacking that I think keeps it from being > deployed in a lot of places (at least the places I've been) is support > for ssh, so whatever we come up needs to support this I think. True, and I'd love to have such a thing. Do you want to develop such plugin? (Personally, I consider Snortsam end-of-life. I'm migrating all my instances to a new system I've developed. That said, if there are any bug fixes or new plugins, I'll support those for a while longer.) Cheers, Frank From phatbuckett at gmail.com Tue Feb 2 15:43:17 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 13:43:17 -0700 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <4B687019.4020001@packetmail.net> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> Message-ID: <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> Agreed, seems like they'll be fine. DS On Tue, Feb 2, 2010 at 11:34 AM, evilghost at packetmail.net wrote: > My vote - Try the Mike Cox signatures, if they false like the current > Oficla is, then we revert to a PCRE with ordering and write multiple > signatures to account for the ordering differences that Darren identified. > > These would be: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; > flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; > content:!"|0d 0a|Accept-Encoding\: "; nocase; > uricontent:".php?"; nocase; > uricontent:"v="; nocase; uricontent:"&id="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010743; rev:2;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; > flow:established,to_server; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; > content:!"|0d 0a|Accept-Encoding\: "; nocase; > uricontent:".php?"; nocase; > uricontent:"id="; nocase; uricontent:"&v="; nocase; > uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > sid:2010xxx; rev:1;) > > > > -evilghost > > Matt Jonkman wrote: >> Great discussion! Can I ask for a final sig from the working group here >> then? :) >> >> Which will be the way to go? (sorry, I'm time-bandwidth limited this >> week so can't really hop in to slug it out for a few days) >> >> Matt >> >> On 2/1/10 2:49 PM, Mike Cox wrote: >> >>> Whoops, I responded to the wrong thread. ?This should have been for the >>> Oficla thread. ?Sorry about that. >>> >>> --Mike Cox >>> >>> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox >> > wrote: >>> >>> ? ? I sent this last week but it never made it thru to the list (maybe >>> ? ? it got spam filtered because of the link?). ?I am seeing FPs on >>> ? ? strings like this (you will need to base64 decode it) >>> >>> ? ? Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== >>> >>> ? ? So I say we try no PCRE (yet) but use '&' on some of the >>> ? ? parameters. ?We would only need two rules then: >>> >>> ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> ? ? Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>> ? ? depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>> ? ? 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>> ? ? uricontent:"v="; nocase; uricontent:"&id="; nocase; >>> ? ? uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>> ? ? classtype:trojan-activity; >>> ? ? reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>> ? ? ; >>> ? ? sid:2010743; rev:2;) >>> >>> ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> ? ? Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>> ? ? depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>> ? ? 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>> ? ? uricontent:"id="; nocase; uricontent:"&v="; nocase; >>> ? ? uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>> ? ? classtype:trojan-activity; >>> ? ? reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>> ? ? ; >>> ? ? sid:2010xxx; rev:1;) >>> >>> ? ? -Mike Cox >>> >>> >>> ? ? On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell >>> ? ? > wrote: >>> >>> ? ? ? ? ZeuS/Zbot config and dropzone URLs are all over the place and don't >>> ? ? ? ? follow a standard convention (they're configurable on the >>> ? ? ? ? server/builder side). You could argue that they're appropriate for >>> ? ? ? ? current events detection at best, probably. >>> >>> ? ? ? ? Examples: >>> >>> ? ? ? ? https://zeustracker.abuse.ch/monitor.php?browse=configs >>> >>> ? ? ? ? DS. >>> >>> ? ? ? ? On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 >> ? ? ? ? > wrote: >>> ? ? ? ? > After a thorough review of captures from another 40 Zbot >>> ? ? ? ? samples this AM, I >>> ? ? ? ? > see two additional, consistent request types: >>> ? ? ? ? > >>> ? ? ? ? > GET /1cfg.bin HTTP/1.0 >>> ? ? ? ? > Accept: */* >>> ? ? ? ? > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>> ? ? ? ? > Host: >>> ? ? ? ? > Pragma: no-cache >>> ? ? ? ? > >>> ? ? ? ? > GET /conf.sts HTTP/1.1 >>> ? ? ? ? > Accept: */* >>> ? ? ? ? > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>> ? ? ? ? > Host: >>> ? ? ? ? > Pragma: no-cache >>> ? ? ? ? > >>> ? ? ? ? > And one outlier (only 1 sample that did this)... >>> ? ? ? ? > >>> ? ? ? ? > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >>> ? ? ? ? > Accept: */* >>> ? ? ? ? > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>> ? ? ? ? > Host: www.rusibank.com >>> ? ? ? ? > Pragma: no-cache >>> ? ? ? ? > >>> ? ? ? ? > The rule I'm running locally to catch everything I've seen >>> ? ? ? ? thus far, minus >>> ? ? ? ? > the outlier: >>> ? ? ? ? > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>> ? ? ? ? (msg:"ET TROJAN >>> ? ? ? ? > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >>> ? ? ? ? > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >>> ? ? ? ? > >>> ? ? ? ? pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >>> ? ? ? ? > classtype:trojan-activity; >>> ? ? ? ? > >>> ? ? ? ? reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >>> ? ? ? ? ; >>> ? ? ? ? > rev:3;) >>> ? ? ? ? > >>> ? ? ? ? > Thoughts? >>> ? ? ? ? > >>> ? ? ? ? > dn1nj4 >>> ? ? ? ? > >>> ? ? ? ? > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >>> ? ? ? ? > wrote: >>> ? ? ? ? >> I just ran across another Zbot sample with the following header: >>> ? ? ? ? >> >>> ? ? ? ? >> GET /immagini/eg.bin HTTP/1.1 >>> ? ? ? ? >> Accept: */* >>> ? ? ? ? >> Connection: Close >>> ? ? ? ? >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>> ? ? ? ? 5.1; SV1) >>> ? ? ? ? >> Host: www.ato5enna.it >>> ? ? ? ? >> Pragma: no-cache >>> ? ? ? ? >> >>> ? ? ? ? >> Would it be better to drop the Win32 and add eg.bin to the >>> ? ? ? ? pcre or create >>> ? ? ? ? >> an entirely different signature? ?Also, classifcation should be >>> ? ? ? ? > classtype. >>> ? ? ? ? >> >>> ? ? ? ? >> dn1nj4 >>> ? ? ? ? >> >>> ? ? ? ? >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >>> ? ? ? ? >>> From: dn1nj4 >> ? ? ? ? > >>> ? ? ? ? >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, >>> ? ? ? ? Issue 2 >>> ? ? ? ? >>> To: >> ? ? ? ? > >>> ? ? ? ? >>> Message-ID: >>> ? ? ? ? >> ? ? ? ? > >>> ? ? ? ? >>> Content-Type: text/plain; charset="UTF-8" >>> ? ? ? ? >>> >>> ? ? ? ? >>> Thanks for the feedback. ?Drawing on evilghost and Mike's >>> ? ? ? ? >> recommendations: >>> ? ? ? ? >>> >>> ? ? ? ? >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>> ? ? ? ? (msg:"ET TROJAN >>> ? ? ? ? >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; >>> ? ? ? ? content:"|0d >>> ? ? ? ? >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >>> ? ? ? ? >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >>> ? ? ? ? >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >>> ? ? ? ? >>> classification:trojan-activity; reference:url, >>> ? ? ? ? >>> >>> ? ? ? ? >> >>> ? ? ? ? > >>> ? ? ? ? www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >>> ? ? ? ? ; >>> ? ? ? ? >>> sid:2010xxx; rev:3;) >>> ? ? ? ? > >>> ? ? ? ? > _______________________________________________ >>> ? ? ? ? > Emerging-sigs mailing list >>> ? ? ? ? > Emerging-sigs at emergingthreats.net >>> ? ? ? ? >>> ? ? ? ? > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> ? ? ? ? > >>> ? ? ? ? > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>> ? ? ? ? Mugs and Lanyards >>> ? ? ? ? > >>> ? ? ? ? http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> ? ? ? ? > >>> >>> >>> >>> ? ? ? ? -- >>> ? ? ? ? Darren Spruell >>> ? ? ? ? phatbuckett at gmail.com >>> >>> ? ? ? ? _______________________________________________ >>> ? ? ? ? Emerging-sigs mailing list >>> ? ? ? ? Emerging-sigs at emergingthreats.net >>> ? ? ? ? >>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> ? ? ? ? Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>> ? ? ? ? Mugs and Lanyards >>> ? ? ? ? http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Tue Feb 2 15:56:56 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 13:56:56 -0700 Subject: [Emerging-Sigs] M0zilla UAS rules mods Message-ID: <839aec701002021256m63b36c7ey3e48099259a7e796@mail.gmail.com> These two rules are trying to do the same match, I think: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (M0zilla)"; flow:established,to_server; content:"|0d 0a|User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010265; rev:2;) The first looks to have been a typo where a zero (0) was intended in the message and content match, but a capital O went in instead. I'm deriving this from the first doc input at http://doc.emergingthreats.net/bin/view/Main/2003513. Ever any hits on 2003513? Maybe we can put it to sleep as a duplicate if not. Suggested additions to references for 2010265: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (M0zilla)"; flow:established,to_server; content:"|0d 0a|User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; classtype:trojan-activity; reference:url,www.f-secure.com/sw-desc/adware_w32_trafficsol.shtml; reference:url,www.f-secure.com/sw-desc/adware_w32_adrotator_gen.shtml; reference:url,doc.emergingthreats.net/2010265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010265; rev:3;) -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Tue Feb 2 15:59:29 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 13:59:29 -0700 Subject: [Emerging-Sigs] M0zilla UAS rules mods In-Reply-To: <839aec701002021256m63b36c7ey3e48099259a7e796@mail.gmail.com> References: <839aec701002021256m63b36c7ey3e48099259a7e796@mail.gmail.com> Message-ID: <839aec701002021259x3f1ba40g5b349eb6782781fd@mail.gmail.com> On Tue, Feb 2, 2010 at 1:56 PM, Darren Spruell wrote: > Ever any hits on 2003513? Maybe we can put it to sleep as a duplicate > if not. Suggested additions to references for 2010265: And another with firm correlation on UAS to the adware: http://www.bitdefender.com/VIRUS-1000243-en--Adware.Blinkator.A.html -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Tue Feb 2 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 2 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100202210013.9CBAD45050@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Feb 2 16:00:13 2010 [***] [+++] Added rules: [+++] 2010755 - ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt (emerging-dos.rules) [///] Modified active rules: [///] 2010458 - ET TROJAN Dropper Checkin - Likely Yahlover Worm (emerging-virus.rules) [---] Removed rules: [---] 2009707 - WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack (emerging-web_specific_apps.rules) 2009708 - WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack (emerging-web_specific_apps.rules) 2009763 - ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution (emerging-web_client.rules) 2009786 - ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal (emerging-web_specific_apps.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,doc.emergingthreats.net/2010458 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 -> Added to emerging-sid-msg.map.txt (2): 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,doc.emergingthreats.net/2010458 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (5): 2009707 || WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009707 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009708 || WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009708 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009763 || ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EDraw || url,doc.emergingthreats.net/2009763 || url,archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html || url,secunia.com/advisories/35509/ 2009786 || ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/ 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2010458 -> Removed from emerging-sid-msg.map.txt (5): 2009707 || WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009707 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009708 || WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009708 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009763 || ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EDraw || url,doc.emergingthreats.net/2009763 || url,archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html || url,secunia.com/advisories/35509/ 2009786 || ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/ 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2010458 From spooker at gmail.com Tue Feb 2 16:16:01 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Tue, 2 Feb 2010 19:16:01 -0200 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <1265142128.53439.56.camel@localhost> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <1265142128.53439.56.camel@localhost> Message-ID: <9255886c1002021316j534457dbk9a8656e6aaed8d4f@mail.gmail.com> We have this rule already for part of http request at least =) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http\://"; nocase; depth: 11; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001669; rev:7;) isnt better only improve this one ? It's top30 at sid reporter http://www.emergingthreats.net/index.php/sidreporter-statistics.html Regards, On Tue, Feb 2, 2010 at 6:22 PM, Frank Knobbe wrote: > > On Tue, 2010-02-02 at 08:22 -0500, Matt Jonkman wrote: > > It's likely legitimate to have a GET without a leading slash. I don't > > think we can sig that. Too many FPs. > > > > The one with the http:// in it was a proxy request. Also legit. > > Just extent the within for the not-content match to 8 or so. That should > cover it. > > -Frank > > > > On 2/2/10 6:41 AM, mex wrote: > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; ?classtype:attempted-recon; ?sid:11220082; rev:1;) > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From wkitty42 at windstream.net Tue Feb 2 17:50:10 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 02 Feb 2010 17:50:10 -0500 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B6869E4.2060105@jonkmans.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <4B682FE0.8060309@mare-system.de> <4B6869E4.2060105@jonkmans.com> Message-ID: <4B68AC22.9070002@windstream.net> On 2/2/2010 13:07, Matt Jonkman wrote: > You're definitely right there! Thanks for doing the research I should > have before disagreeing. :) > > That sig will also have to take into account other types of protocols, > like ftp://, rtsp://, https://, any number of things. if we can defeat > that then it'd be good to add to the ruleset! so something like .*\:// for a pattern for the protocol indicator instead of trying to list them all like [ftp|rtsp|php|https?]... is there a ssl and scp one? i remember the php one from recent discussions somewhere... there are others... where to find a complete list? what's to prevent someone from creating their own that their own bot server thingy understands and everything else ignores? > Matt > > On 2/2/10 9:00 AM, mex wrote: >> >> # HTTP-GET Proxy Request >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER GET - Proxy-Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"http\://"; within:8; nocase; classtype:attempted-recon; sid:11220083; rev:1;) >> >> >> you always make me study the rfcs ;-) >> >> for as far as i read in rfc2616-sec5 a GET-Request >> (beside a proxy-request) needs to have a leading slash: >> >> --- snip --------------------- >> >> The most common form of Request-URI is that used to identify a >> resource on an origin server or gateway. In this case the >> **absolute path** of the URI **MUST** be transmitted >> (see section 3.2.1, abs_path) as the Request-URI, and the >> network location of the URI (authority) MUST be transmitted in a >> Host header field. For example, a client wishing to retrieve the >> resource above directly from the origin server would create a >> TCP connection to port 80 of the host "www.w3.org" and send the lines: >> >> GET /pub/WWW/TheProject.html HTTP/1.1 >> Host: www.w3.org >> >> followed by the remainder of the Request. Note that the absolute path >> cannot be empty; if none is present in the original URI, it MUST be >> given as "/" (the server root). >> >> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html >> --- snap ------------------------ >> >> for me an abs_path always starts with a / >> >> when i >> $ telnet myserver.moc 80 >> GET index.html HTTP/1.0 >> >> >> HTTP/1.1 400 Bad Request >> Date: Tue, 02 Feb 2010 13:32:14 GMT >> Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 >> Vary: Accept-Encoding >> Content-Length: 405 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> >> >> 400 Bad Request >> >>

Bad Request

>>

Your browser sent a request that this server could not understand.
>> >> my server answers with error 400 bad request. >> >> >> i think such broken requests will never come from legit >> browsers, more from scanners/attack-tools and poorly coded >> small apps. >> >> but you're rigt, this might fp under certain circumstances, like >> proxy-abuse ... this leads me to the above sig: as i played with telnet >> and GET no rule fired anyway, so i created the one above; maybe >> it'll false too ... >> >> >> regarding the user-agent: >> http://www.useragentstring.com/pages/webcollage/ >> >> >> >> >> >> Matt Jonkman wrote: >>> It's likely legitimate to have a GET without a leading slash. I don't >>> think we can sig that. Too many FPs. >>> >>> The one with the http:// in it was a proxy request. Also legit. >>> >>> That useragent on the sample is interesting. You know what it is? >>> >>> Matt >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From wkitty42 at windstream.net Tue Feb 2 17:53:08 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 02 Feb 2010 17:53:08 -0500 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <1265142128.53439.56.camel@localhost> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <1265142128.53439.56.camel@localhost> Message-ID: <4B68ACD4.9030907@windstream.net> On 2/2/2010 15:22, Frank Knobbe wrote: > On Tue, 2010-02-02 at 08:22 -0500, Matt Jonkman wrote: >> It's likely legitimate to have a GET without a leading slash. I don't >> think we can sig that. Too many FPs. >> >> The one with the http:// in it was a proxy request. Also legit. > > Just extent the within for the not-content match to 8 or so. That should > cover it. i was wondering about that when i wrote my previous message just now... not being sure, i went with something that is known to work :lol: > > -Frank > > >> On 2/2/10 6:41 AM, mex wrote: >>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; classtype:attempted-recon; sid:11220082; rev:1;) > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From phatbuckett at gmail.com Tue Feb 2 19:18:28 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 2 Feb 2010 17:18:28 -0700 Subject: [Emerging-Sigs] manda.php post/get sig In-Reply-To: <48613632.5050806@jonkmans.com> References: <716533b50806240920k1ca83c5fn69f456eef4f5cc2e@mail.gmail.com> <48613632.5050806@jonkmans.com> Message-ID: <839aec701002021618q6cf7e73bt169901c7aa42da2a@mail.gmail.com> Reaching back here for some housework - These seem to have ended up in 2008324 and 2008325, labeled as Socks/Sality. The malware in question is called Zalupko/Koceph/Mandaph. It looks like /manda.php has been in use at least through late 2009 so it still seems like a useful indicator even if not always used. As there are still some instances (increasingly few) of the malware in ThreatExpert thorugh late 2009 I figured it was worth keeping a lazy eye on. The most common URI pattern we had in logs was '/manda.php?id=[foo]&v=[bar]' so here's a new rule for review and updates to the two others: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; uricontent:"/manda.php?"; nocase; uricontent:"ns="; nocase; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2008324; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks; sid:2008324; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"&v="; uricontent:"&s="; uricontent:"&cip="; uricontent:"&lid="; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2008325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks; sid:2008325; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; uricontent:"/manda.php?"; uricontent:"id="; nocase; uricontent:"&v="; nocase; pcre:"/\/manda\.php\?id=(-)?\d{10}&v=[\w\.]+/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; sid:9999999; rev:1;) DS On Tue, Jun 24, 2008 at 11:00 AM, Matt Jonkman wrote: > Posting now, thanks Marcus! > > May end up merging one with an existing, will let you know. > > Matt > > Marcus wrote: >> re: 7596ec9308082edec613ac8d78ee4fe6 >> >> in addition to sid 2008290 >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan - >> manda.php POST"; flow:established,to_server; content:"POST"; depth:4; >> content:"manda.php"; content:"ns="; content:"&id="; nocase; sid:99999; >> rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - >> manda.php GET"; flow:established,to_server; uricontent:"manda.php?"; >> uricontent:"&v="; uricontent:"&s="; uricontent:"&cip="; >> uricontent:"&lid="; content:"|0d 0a|User-Agent\: _|0d 0a|"; >> classtype:trojan-activity; sid:99998; rev:1;) >> >> >> Cheers, >> Marc >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Darren Spruell phatbuckett at gmail.com From dn1nj4 at shadowserver.org Tue Feb 2 20:08:02 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Tue, 02 Feb 2010 17:08:02 -0800 Subject: [Emerging-Sigs] Proposed Mod: 2008411 "ET TROJAN LDPinch SMTP Password Report with mail client The Bat!" Message-ID: <75e469edf6c0951dffa28bd096aadca8@shadowserver.org> I am getting a bunch of hits on this sig that appear to be the result of undeliverable/bounce messages. The attachment in question is the text of the bounced messsage. Reccomend adding a filter for "|0d 0a|Subject: Undeliverable:". alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; content:"|0d 0a|Content-Disposition|3a| attachment\;"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; sid:2008411; rev:4;) Thoughts? dn1nj4 From evilghost at packetmail.net Tue Feb 2 20:35:27 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 2 Feb 2010 19:35:27 -0600 Subject: [Emerging-Sigs] Proposed Mod: 2008411 "ET TROJAN LDPinch SMTP Password Report with mail client The Bat!" In-Reply-To: <75e469edf6c0951dffa28bd096aadca8@shadowserver.org> References: <75e469edf6c0951dffa28bd096aadca8@shadowserver.org> Message-ID: <4B68D2DF.5000906@packetmail.net> I saw this once as well and it was an Exchange SMTPd in a mail-loop. I'm curious, are you accepting mail for delivery and then generating bounce messages or are you SMTP 551 invalid recipients during the SMTP session? My question, why the bounce messages to begin with? I usually see "The Bat!" associated with programmatic delivery, often spam. Really curious not from an IDS perspective but more from the aspect of a mail-server admin. -evilghost dn1nj4 wrote: > I am getting a bunch of hits on this sig that appear to be the result of > undeliverable/bounce messages. The attachment in question is the text of > the bounced messsage. Reccomend adding a filter for "|0d 0a|Subject: > Undeliverable:". > > alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP > Password Report with mail client The Bat!"; flow:established,to_server; > content:"X-Mailer|3a| The Bat!"; content:"|0d 0a|Content-Disposition|3a| > attachment\;"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008411; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; > sid:2008411; rev:4;) > > Thoughts? > > dn1nj4 > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From mail at mare-system.de Wed Feb 3 04:45:48 2010 From: mail at mare-system.de (mex) Date: Wed, 03 Feb 2010 10:45:48 +0100 Subject: [Emerging-Sigs] Updated Sig 2001669, was Strange GET - Requests In-Reply-To: <9255886c1002021316j534457dbk9a8656e6aaed8d4f@mail.gmail.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <1265142128.53439.56.camel@localhost> <9255886c1002021316j534457dbk9a8656e6aaed8d4f@mail.gmail.com> Message-ID: <4B6945CC.2030305@mare-system.de> yeah, right; i expected that in web_server.rules, not in policy; i usually don't load policy.rules. due to your and franks and other's suggestions i propose the following sig-update to cover this issue (and maybe place them in emerging-web_servers.rules??) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET "; depth:4; content:"\://"; nocase; within:10; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001669; rev:8;) Rodrigo Montoro(Sp0oKeR) wrote: > We have this rule already for part of http request at least =) > From wolvee.x at gmail.com Wed Feb 3 07:54:27 2010 From: wolvee.x at gmail.com (Wolvee) Date: Wed, 03 Feb 2010 18:24:27 +0530 Subject: [Emerging-Sigs] IE6 sig Message-ID: <4B697203.6020101@googlemail.com> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; sid:xxxxxx; rev:1;) Thanks, Wolvee.. From kevross33 at googlemail.com Wed Feb 3 08:07:00 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 3 Feb 2010 13:07:00 +0000 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt Message-ID: Here are some sigs, and as far as I understand it snort should be fine the isdataat match at 60000 (the buffer overflow is actually triggered about the 100000ish mark)? I hae also attached the sigs I sent the other day that weren't posted so all my posted sigs are together. Regards, Kev alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; uricontent:".ass"; nocase; classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; sid:16000011; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) # These are ones I sent you also the other day alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; sid:18000211; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:18000218; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information Disclosure Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"userdisplay="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37848; sid:18000212; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"filter="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37847; sid:18000213; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; sid:18000214; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; uricontent:"defaultAdminLevel"; nocase; uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; nocase; uricontent:"password="; nocase; uricontent:"zenScreenName=editUserSettings"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000215; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; uricontent:"commandId="; nocase; pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000216; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/userCommands/ping"; nocase; uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; nocase; uricontent:"ScreenName=userCommandDetail"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000217; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/b82a17a3/attachment.html From kevross33 at googlemail.com Wed Feb 3 08:08:19 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 3 Feb 2010 13:08:19 +0000 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: References: Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; pcre:"/Dialogue\x3A.{60000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) quick modification with the additional of the : on Dialogue in the PCRE. Kev On 3 February 2010 13:07, Kevin Ross wrote: > Here are some sigs, and as far as I understand it snort should be fine the > isdataat match at 60000 (the buffer overflow is actually triggered about the > 100000ish mark)? > > I hae also attached the sigs I sent the other day that weren't posted so > all my posted sigs are together. > > Regards, Kev > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC > Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; > flow:established,to_server; uricontent:".ass"; nocase; > classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; > sid:16000011; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC > Media Player .ass File Buffer Overflow Attempt"; > flowbits:isset,ET.ass.request; flow:established,to_client; > content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; > within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; > reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) > > # These are ones I sent you also the other day > > alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox > WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; > content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; > content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; > classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; > sid:18000211; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer > Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; > isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA > SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; > sid:18000218; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe > Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; > flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; > content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; > within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; > reference:cve,2009-4195; sid:18000219; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information > Disclosure Attempt"; flow:established,to_server; > uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; > uricontent:"userdisplay="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; > classtype:web-application-attack; reference:url, > www.securityfocus.com/bid/37848; sid:18000212; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; > flow:established,to_server; uricontent:"/admin/config.php"; nocase; > uricontent:"display="; nocase; uricontent:"filter="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; > classtype:web-application-attack; reference:url, > www.securityfocus.com/bid/37847; sid:18000213; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap > Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; > nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; > content:"ViewProfile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; > sid:18000214; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; > flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; > uricontent:"defaultAdminLevel"; nocase; > uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; > nocase; uricontent:"password="; nocase; > uricontent:"zenScreenName=editUserSettings"; nocase; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000215; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand > Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; > nocase; uricontent:"commandId="; nocase; > pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000216; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping > UserCommand Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/userCommands/ping"; nocase; > uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; > nocase; uricontent:"ScreenName=userCommandDetail"; nocase; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000217; rev:1;) > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/75c4a6d9/attachment-0001.html From richrumble at gmail.com Wed Feb 3 08:18:33 2010 From: richrumble at gmail.com (Rich Rumble) Date: Wed, 3 Feb 2010 08:18:33 -0500 Subject: [Emerging-Sigs] [Oisf-users] Interoprability of Suricata with commercial firewalls In-Reply-To: <1265143257.53439.62.camel@localhost> References: <4B66F15A.9020505@gmail.com> <4B67F516.1000205@inliniac.net> <4B67F5BE.3010405@gmail.com> <4B67F67D.3070307@inliniac.net> <4B67F896.9080803@gmail.com> <4B6834EA.8030306@jonkmans.com> <4B68389E.6020708@utc.edu> <1265143257.53439.62.camel@localhost> Message-ID: I'd also like to mention PacketFence NAC as a possible integration point for Suricata. It might be more on the Inverse/PacketFence side to implement. Suricata seems to be using the same logs as snort so it might already integrate I've not tried it yet, but there may be other ways to integrate Suricata than Snort is now. http://www.packetfence.org/tour/technical_introduction.html I'll be sure to mention this idea to them as well :) -rich Xinn.org From mike.cox52 at gmail.com Wed Feb 3 08:41:24 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Wed, 3 Feb 2010 07:41:24 -0600 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <4B697203.6020101@googlemail.com> References: <4B697203.6020101@googlemail.com> Message-ID: <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> If you are doing a uricontent match, wouldn't it match against the normalized URI buffer so you would need to look for 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? -Mike Cox On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 > browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; > uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; > reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; > sid:xxxxxx; rev:1;) > > > Thanks, > Wolvee.. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/dfd60e35/attachment.html From rmkml at free.fr Wed Feb 3 02:30:24 2010 From: rmkml at free.fr (rmkml) Date: Wed, 3 Feb 2010 08:30:24 +0100 (CET) Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> Message-ID: Hi Mike and Wolvee, thx for this sigs, but are you sure uricontent and flow_toserver are good for detectig IE DoS ? Regards Rmkml On Wed, 3 Feb 2010, Mike Cox wrote: > If you are doing a uricontent match, wouldn't it match against the > normalized URI buffer so you would need to look for > 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? > > -Mike Cox > > On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: > >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >> sid:xxxxxx; rev:1;) >> >> >> Thanks, >> Wolvee.. >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > From spooker at gmail.com Wed Feb 3 08:53:17 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Wed, 3 Feb 2010 11:53:17 -0200 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> Message-ID: <9255886c1002030553s6502f980w29c4dc7a411b3253@mail.gmail.com> Looking to the post ( www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6 ) 2 situations that I figured out 1-) at URI it'll not generate network traffic since it seems to be something local . 2-) maybe IF some embeded html with this code could cause DoS . I dont have any IE6 for test. Regards, On Wed, Feb 3, 2010 at 5:30 AM, rmkml wrote: > Hi Mike and Wolvee, > thx for this sigs, > but are you sure uricontent and flow_toserver are good for detectig IE DoS ? > Regards > Rmkml > > > On Wed, 3 Feb 2010, Mike Cox wrote: > >> If you are doing a uricontent match, wouldn't it match against the >> normalized URI buffer so you would need to look for >> 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? >> >> -Mike Cox >> >> On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: >> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >>> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >>> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >>> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >>> sid:xxxxxx; rev:1;) >>> >>> >>> Thanks, >>> Wolvee.. >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From thierry.chich at ac-clermont.fr Wed Feb 3 08:55:41 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Wed, 03 Feb 2010 14:55:41 +0100 Subject: [Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP In-Reply-To: <4B67130D.6060002@jonkmans.com> References: <4B66AFA3.1000406@ac-clermont.fr> <4B67130D.6060002@jonkmans.com> Message-ID: <4B69805D.7020602@ac-clermont.fr> Le 01/02/2010 18:44, Matt Jonkman a ?crit : > I understand your point definitely. But if you're blocking there's some > use to blocking dns requests. If they're inbound from an rbn host > they're likely looking to spam you, so blocking dns kills them unless > they use another dns server. If it's an internal host going out you may > be killing an infection. Yeah, I am all rigight by you. If you have a bloking method, it is better to let it as it is. But if you are using snort only to alert you, it is not very interresting. RBN rules don't have two version, block and not block ? > What kind of requests are you seeing? For legitimate names, or just > malware crud? > > Matt > > On 2/1/10 5:40 AM, Thierry Chich wrote: >> Hello, >> >> I have an huge amount of alerts from these rules, mainly because of DNS >> traffic. It seems there is official DNS Servers in these networks. It >> seems to me that an alert shoudn't be triggered about a dns request >> towards these networks. Even if it could be interpreted as the symptom >> of a compromised host, it is really difficult to find it, since there >> can be a lot of dns forwarders involved. >> >> I suggest that this kind of rules take !53 as destination port. >> >> >> Thierry Chich >> >> PS: Don't forget, I am not the sourcefire troll. My english grammar is >> really poor, and I am really french. It is not a clever ruse. >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From phatbuckett at gmail.com Wed Feb 3 10:05:48 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 3 Feb 2010 08:05:48 -0700 Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV), and and proposed modification to SID 2009354 In-Reply-To: <839aec700912040901n3c466a25g53a28bef5c84b799@mail.gmail.com> References: <617fc350912031726j398f8ddfide889ab566bc0e66@mail.gmail.com> <839aec700912040901n3c466a25g53a28bef5c84b799@mail.gmail.com> Message-ID: <839aec701002030705p37d146bn599fd74040eae82d@mail.gmail.com> *Bump* 2010381 and 2008337 are dupes and the malware is Gibon or Syrutrk. How about dropping 2008337 and doing a mod on the other? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; sid:2010381; rev:3;) DS On Fri, Dec 4, 2009 at 10:01 AM, Darren Spruell wrote: > Thanks. > > 2008337 looks to identify, no? > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Win32.Small.dvs or Related DDOS Checkin"; flow:established,to_server; > content:"GET ?ddos=x"; depth:11; classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2008337; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs; > sid:2008337; rev:2;) > > Probably only need one of them, would suggest rule msg update to > reflect common name Gibon. > > DS > > > On Thu, Dec 3, 2009 at 6:26 PM, gilou wrote: >> The "?ddos=" request is from Gibon. >> >> As an additional reference, here is a ThreatExpert report for another >> variant of Gibon: >> http://www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 >> >> >> >>> ------------------------------ >>> >>> Date: Wed, 2 Dec 2009 12:43:08 -0700 >>> From: Darren Spruell >>> Subject: Re: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV), >>> ? ? ? ?and and ? ? ? ? proposed modification to SID 2009354 >>> To: "evilghost at packetmail.net" >>> Cc: "emerging-sigs at emergingthreats.net" >>> ? ? ? ? >>> Message-ID: >>> ? ? ? ?<839aec700912021143o3aaea5a5r7f193a4c0d340e29 at mail.gmail.com> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> The match on ?ddos=x7x29x1x36x32x27x16x29x32x31x17x27x7x36x29x18x30x9x33x27x13x29x0x7 >>> isn't Bredolab, it's something else (I presume a DDoS bot). The >>> Bredolab communication is that referencing >>> youaskedthedomain.cn/spl/controller.php[...]. >>> >>> Anybody recognize it? >>> >>> DS >>> >>> >>> On Mon, Nov 30, 2009 at 2:11 PM, evilghost at packetmail.net >>> wrote: >>>> SID 2009354, based on http://threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 I suggest changing the uricontent:"&entity="; to uricontent:"&entity"; >>>> >>>> Proposed new signatures below: >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4; >>>> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; >>>> classtype:trojan-activity; >>>> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; >>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; >>>> sid:2009xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake >>>> AV GET"; flow:established,to_server; content:"GET "; depth:4; >>>> uricontent:".php?"; nocase; uricontent:"affid="; nocase; >>>> uricontent:"subid="; nocase; uricontent:"type="; nocase; >>>> uricontent:"version="; nocase; uricontent:"adware"; nocase; >>>> classtype:trojan-activity; >>>> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; >>>> sid:2009xxx; rev:1;) >>>> >>>> Comments/flames welcome. >>>> >>>> -evilghost >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>> >>> >>> >>> -- >>> Darren Spruell >>> phatbuckett at gmail.com >>> >>> >> > > > > -- > Darren Spruell > phatbuckett at gmail.com > -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Wed Feb 3 10:10:54 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 3 Feb 2010 08:10:54 -0700 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B682724.4090605@jonkmans.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> Message-ID: <839aec701002030710p50a75b7aiff3a0c15acb70e1d@mail.gmail.com> FWIW: Gibon/Syrutrk sends GET requests back to controller sans leading slash: # http://www.threatexpert.com/report.aspx?md5=e6f12884dbd9c5f8fc6292d4c2836e54 00000000 | 4745 5420 3F64 646F 733D 7831 3678 3239 | GET ?ddos=x16x29 00000010 | 7832 3878 3778 3620 4854 5450 2F31 2E30 | x28x7x6 HTTP/1.0 Although this likely doesn't impact this discussion, something to be aware of. DS On Tue, Feb 2, 2010 at 6:22 AM, Matt Jonkman wrote: > It's likely legitimate to have a GET without a leading slash. I don't > think we can sig that. Too many FPs. > > The one with the http:// in it was a proxy request. Also legit. > > That useragent on the sample is interesting. You know what it is? > > Matt > > > On 2/2/10 6:41 AM, mex wrote: >> >> some time ago i had to face some nasty ddos >> with lots of GET-Requests like this: >> GET blih.blah.blub.php >> nothing more, that seems to be similar to a >> ddos like described in the following blog >> (german, but should work with google-translate) >> http://burnachurch.com/74/ddos-abwehr-mit-apaches-mod_security2/ >> >> # HTTP-GET w/out slash >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Strange GET - Request"; flow:established,to_server; content:"GET "; depth:4; nocase; content:!"/"; within:2; nocase; ?classtype:attempted-recon; ?sid:11220082; rev:1;) >> >> >> >> strangely enough, the rule catches stuff like the following: >> >> GET http://img1.mypets.ws/img-32025.jpg HTTP/1.1 >> User-Agent: webcollage/1.135a >> Host: img1.mypets.ws >> >> UA webcollage seems to be not harmfull: >> http://www.useragentstring.com/pages/webcollage/ >> >> >> but i wonder why this is in my logs. >> >> >> >> mex >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From eslerj at gmail.com Wed Feb 3 10:14:56 2010 From: eslerj at gmail.com (Joel Esler) Date: Wed, 3 Feb 2010 10:14:56 -0500 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> Message-ID: <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> No. Not sure what you are trying to do here, but... No. If you are trying to translate "%F0". The the ASCII equiv, that's what you need to put in the content match, but |F0| is not correctly. J On Wed, Feb 3, 2010 at 8:41 AM, Mike Cox wrote: > If you are doing a uricontent match, wouldn't it match against the > normalized URI buffer so you would need to look for > 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? > > -Mike Cox > > > On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: > >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >> sid:xxxxxx; rev:1;) >> >> >> Thanks, >> Wolvee.. >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/11da9f6f/attachment.html From eslerj at gmail.com Wed Feb 3 10:17:17 2010 From: eslerj at gmail.com (Joel Esler) Date: Wed, 3 Feb 2010 10:17:17 -0500 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: References: Message-ID: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> If you are going to invoke PCRE to do the check, why not do the negative "content" match in the pcre as well. I don't think it makes any sense to have both.. J On Wed, Feb 3, 2010 at 8:07 AM, Kevin Ross wrote: > Here are some sigs, and as far as I understand it snort should be fine the > isdataat match at 60000 (the buffer overflow is actually triggered about the > 100000ish mark)? > > I hae also attached the sigs I sent the other day that weren't posted so > all my posted sigs are together. > > Regards, Kev > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC > Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; > flow:established,to_server; uricontent:".ass"; nocase; > classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; > sid:16000011; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC > Media Player .ass File Buffer Overflow Attempt"; > flowbits:isset,ET.ass.request; flow:established,to_client; > content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; > within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; > reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) > > # These are ones I sent you also the other day > > alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox > WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; > content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; > content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; > classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; > sid:18000211; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer > Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; > isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA > SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; > sid:18000218; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe > Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; > flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; > content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; > within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; > reference:cve,2009-4195; sid:18000219; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information > Disclosure Attempt"; flow:established,to_server; > uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; > uricontent:"userdisplay="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; > classtype:web-application-attack; reference:url, > www.securityfocus.com/bid/37848; sid:18000212; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; > flow:established,to_server; uricontent:"/admin/config.php"; nocase; > uricontent:"display="; nocase; uricontent:"filter="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; > classtype:web-application-attack; reference:url, > www.securityfocus.com/bid/37847; sid:18000213; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap > Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; > nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; > content:"ViewProfile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; > sid:18000214; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; > flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; > uricontent:"defaultAdminLevel"; nocase; > uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; > nocase; uricontent:"password="; nocase; > uricontent:"zenScreenName=editUserSettings"; nocase; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000215; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand > Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; > nocase; uricontent:"commandId="; nocase; > pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000216; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping > UserCommand Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/userCommands/ping"; nocase; > uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; > nocase; uricontent:"ScreenName=userCommandDetail"; nocase; > classtype:web-application-attack; reference: > www.securityfocus.com/bid/37843; sid:18000217; rev:1;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/3bc38f13/attachment.html From jonkman at jonkmans.com Wed Feb 3 10:27:09 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 10:27:09 -0500 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <9255886c1002030553s6502f980w29c4dc7a411b3253@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <9255886c1002030553s6502f980w29c4dc7a411b3253@mail.gmail.com> Message-ID: <4B6995CD.806@jonkmans.com> Ya, this is a local thing, we shouldn't ever see it cross the network... Matt On 2/3/10 8:53 AM, Rodrigo Montoro(Sp0oKeR) wrote: > Looking to the post ( > www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6 ) 2 > situations that I figured out > > 1-) at URI it'll not generate network traffic since it seems to be > something local . > > 2-) maybe IF some embeded html with this code could cause DoS . I dont > have any IE6 for test. > > Regards, > > > On Wed, Feb 3, 2010 at 5:30 AM, rmkml wrote: >> Hi Mike and Wolvee, >> thx for this sigs, >> but are you sure uricontent and flow_toserver are good for detectig IE DoS ? >> Regards >> Rmkml >> >> >> On Wed, 3 Feb 2010, Mike Cox wrote: >> >>> If you are doing a uricontent match, wouldn't it match against the >>> normalized URI buffer so you would need to look for >>> 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? >>> >>> -Mike Cox >>> >>> On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: >>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >>>> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >>>> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >>>> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >>>> sid:xxxxxx; rev:1;) >>>> >>>> >>>> Thanks, >>>> Wolvee.. >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>>> Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Wed Feb 3 10:27:45 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 3 Feb 2010 15:27:45 +0000 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin Message-ID: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet C&C Checkin"; flow:established,to_server; uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; classtype:trojan-activity; reference:url, www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; rev:1;) Based on this www.fortiguard.com/analysis/sasfisanalysis.html Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/b7aa7500/attachment-0001.html From kevross33 at googlemail.com Wed Feb 3 10:38:17 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 3 Feb 2010 15:38:17 +0000 Subject: [Emerging-Sigs] SIG: Sasfis Botnet Client Reporting Back to Controller After Command Execution Message-ID: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; uricontent:"/loader/bb.php"; nocase; uricontent:"id="; nocase; content:"v="; nocase; content:"tm="; nocase; uricontent:"tid="; nocase; uricontent:"r="; nocase; pcre:"/\x2Floader\x2Fbb\x2Ephp.+id\x3D[0-9].+v\x3D[0-9].+tm\x3D[0-9].+b\x3D.+tid\x3D[0-9].+r\x3D(0|00|1)/Ui"; classtype:trojan-activity; reference:url, www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330002; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/333c9f56/attachment.html From shyaam at gmail.com Wed Feb 3 10:45:21 2010 From: shyaam at gmail.com (Shyaam) Date: Wed, 3 Feb 2010 15:45:21 +0000 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> References: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> Message-ID: PCRE induces overhead to the signature. Since, you have already inserted it into the content, I think that content should do the trick. hence, PCRE part can be removed. On Wed, Feb 3, 2010 at 3:17 PM, Joel Esler wrote: > If you are going to invoke PCRE to do the check, why not do the negative > "content" match in the pcre as well. I don't think it makes any sense to > have both.. > > J > > On Wed, Feb 3, 2010 at 8:07 AM, Kevin Ross wrote: > >> Here are some sigs, and as far as I understand it snort should be fine the >> isdataat match at 60000 (the buffer overflow is actually triggered about the >> 100000ish mark)? >> >> I hae also attached the sigs I sent the other day that weren't posted so >> all my posted sigs are together. >> >> Regards, Kev >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC >> Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; >> flow:established,to_server; uricontent:".ass"; nocase; >> classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; >> sid:16000011; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC >> Media Player .ass File Buffer Overflow Attempt"; >> flowbits:isset,ET.ass.request; flow:established,to_client; >> content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; >> within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; >> reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) >> >> >> # These are ones I sent you also the other day >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox >> WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; >> content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; >> content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; >> classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; >> sid:18000211; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer >> Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; >> isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA >> SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; >> sid:18000218; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow >> Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; >> nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; >> within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; >> reference:cve,2009-4195; sid:18000219; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information >> Disclosure Attempt"; flow:established,to_server; >> uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; >> uricontent:"userdisplay="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; >> classtype:web-application-attack; reference:url, >> www.securityfocus.com/bid/37848; sid:18000212; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; >> flow:established,to_server; uricontent:"/admin/config.php"; nocase; >> uricontent:"display="; nocase; uricontent:"filter="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; >> classtype:web-application-attack; reference:url, >> www.securityfocus.com/bid/37847; sid:18000213; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap >> Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; >> nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; >> content:"ViewProfile"; nocase; >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; >> sid:18000214; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; >> flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; >> uricontent:"defaultAdminLevel"; nocase; >> uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; >> nocase; uricontent:"password="; nocase; >> uricontent:"zenScreenName=editUserSettings"; nocase; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000215; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand >> Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; >> nocase; uricontent:"commandId="; nocase; >> pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000216; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping >> UserCommand Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/userCommands/ping"; nocase; >> uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; >> nocase; uricontent:"ScreenName=userCommandDetail"; nocase; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000217; rev:1;) >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > Joel Esler > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/dc7b0f9f/attachment.html From jonkman at jonkmans.com Wed Feb 3 10:52:57 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 10:52:57 -0500 Subject: [Emerging-Sigs] SIG: Sasfis Botnet Client Reporting Back to Controller After Command Execution In-Reply-To: References: Message-ID: <4B699BD9.5090609@jonkmans.com> Posted, thanks Kevin! Matt On 2/3/10 10:38 AM, Kevin Ross wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Sasfis Botnet Client Reporting Back to Controller After Command > Execution"; flow:established,to_server; uricontent:"/loader/bb.php"; > nocase; uricontent:"id="; nocase; content:"v="; nocase; content:"tm="; > nocase; uricontent:"tid="; nocase; uricontent:"r="; nocase; > pcre:"/\x2Floader\x2Fbb\x2Ephp.+id\x3D[0-9].+v\x3D[0-9].+tm\x3D[0-9].+b\x3D.+tid\x3D[0-9].+r\x3D(0|00|1)/Ui"; > classtype:trojan-activity; > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html > ; sid:1330002; > rev:1;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 3 11:11:31 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 11:11:31 -0500 Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV), and and proposed modification to SID 2009354 In-Reply-To: <839aec701002030705p37d146bn599fd74040eae82d@mail.gmail.com> References: <617fc350912031726j398f8ddfide889ab566bc0e66@mail.gmail.com> <839aec700912040901n3c466a25g53a28bef5c84b799@mail.gmail.com> <839aec701002030705p37d146bn599fd74040eae82d@mail.gmail.com> Message-ID: <4B69A033.4030507@jonkmans.com> Good solution, thanks Darren! Matt On 2/3/10 10:05 AM, Darren Spruell wrote: > *Bump* > > 2010381 and 2008337 are dupes and the malware is Gibon or Syrutrk. How > about dropping 2008337 and doing a mod on the other? > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Syrutrk/Gibon Checkin"; flow:to_server,established; content:"GET "; > depth:4; uricontent:"?ddos=x"; nocase; > pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; > reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; > reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; > reference:url,doc.emergingthreats.net/2010381; sid:2010381; rev:3;) > > DS > > On Fri, Dec 4, 2009 at 10:01 AM, Darren Spruell wrote: >> Thanks. >> >> 2008337 looks to identify, no? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Win32.Small.dvs or Related DDOS Checkin"; flow:established,to_server; >> content:"GET ?ddos=x"; depth:11; classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2008337; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs; >> sid:2008337; rev:2;) >> >> Probably only need one of them, would suggest rule msg update to >> reflect common name Gibon. >> >> DS >> >> >> On Thu, Dec 3, 2009 at 6:26 PM, gilou wrote: >>> The "?ddos=" request is from Gibon. >>> >>> As an additional reference, here is a ThreatExpert report for another >>> variant of Gibon: >>> http://www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 >>> >>> >>> >>>> ------------------------------ >>>> >>>> Date: Wed, 2 Dec 2009 12:43:08 -0700 >>>> From: Darren Spruell >>>> Subject: Re: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV), >>>> and and proposed modification to SID 2009354 >>>> To: "evilghost at packetmail.net" >>>> Cc: "emerging-sigs at emergingthreats.net" >>>> >>>> Message-ID: >>>> <839aec700912021143o3aaea5a5r7f193a4c0d340e29 at mail.gmail.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> The match on ?ddos=x7x29x1x36x32x27x16x29x32x31x17x27x7x36x29x18x30x9x33x27x13x29x0x7 >>>> isn't Bredolab, it's something else (I presume a DDoS bot). The >>>> Bredolab communication is that referencing >>>> youaskedthedomain.cn/spl/controller.php[...]. >>>> >>>> Anybody recognize it? >>>> >>>> DS >>>> >>>> >>>> On Mon, Nov 30, 2009 at 2:11 PM, evilghost at packetmail.net >>>> wrote: >>>>> SID 2009354, based on http://threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 I suggest changing the uricontent:"&entity="; to uricontent:"&entity"; >>>>> >>>>> Proposed new signatures below: >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>>> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4; >>>>> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; >>>>> classtype:trojan-activity; >>>>> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; >>>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake >>>>> AV GET"; flow:established,to_server; content:"GET "; depth:4; >>>>> uricontent:".php?"; nocase; uricontent:"affid="; nocase; >>>>> uricontent:"subid="; nocase; uricontent:"type="; nocase; >>>>> uricontent:"version="; nocase; uricontent:"adware"; nocase; >>>>> classtype:trojan-activity; >>>>> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; >>>>> sid:2009xxx; rev:1;) >>>>> >>>>> Comments/flames welcome. >>>>> >>>>> -evilghost >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>> >>>> >>>> >>>> -- >>>> Darren Spruell >>>> phatbuckett at gmail.com >>>> >>>> >>> >> >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Wed Feb 3 11:13:32 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 3 Feb 2010 16:13:32 +0000 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> References: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> Message-ID: so is it best just to forget the PCRE on the buffer overflow sigs altogether? Also how would a negative content match in the pcre look for example in this pcre: pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; ? On 3 February 2010 15:17, Joel Esler wrote: > If you are going to invoke PCRE to do the check, why not do the negative > "content" match in the pcre as well. I don't think it makes any sense to > have both.. > > J > > On Wed, Feb 3, 2010 at 8:07 AM, Kevin Ross wrote: > >> Here are some sigs, and as far as I understand it snort should be fine the >> isdataat match at 60000 (the buffer overflow is actually triggered about the >> 100000ish mark)? >> >> I hae also attached the sigs I sent the other day that weren't posted so >> all my posted sigs are together. >> >> Regards, Kev >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC >> Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; >> flow:established,to_server; uricontent:".ass"; nocase; >> classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; >> sid:16000011; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC >> Media Player .ass File Buffer Overflow Attempt"; >> flowbits:isset,ET.ass.request; flow:established,to_client; >> content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; >> within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; >> reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; rev:1;) >> >> >> # These are ones I sent you also the other day >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox >> WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; >> content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; >> content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; >> classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; >> sid:18000211; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer >> Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; >> isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA >> SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; >> sid:18000218; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow >> Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; >> nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; >> within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; >> reference:cve,2009-4195; sid:18000219; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information >> Disclosure Attempt"; flow:established,to_server; >> uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; >> uricontent:"userdisplay="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; >> classtype:web-application-attack; reference:url, >> www.securityfocus.com/bid/37848; sid:18000212; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; >> flow:established,to_server; uricontent:"/admin/config.php"; nocase; >> uricontent:"display="; nocase; uricontent:"filter="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; >> classtype:web-application-attack; reference:url, >> www.securityfocus.com/bid/37847; sid:18000213; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap >> Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; >> nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; >> content:"ViewProfile"; nocase; >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; >> sid:18000214; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; >> flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; >> uricontent:"defaultAdminLevel"; nocase; >> uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; >> nocase; uricontent:"password="; nocase; >> uricontent:"zenScreenName=editUserSettings"; nocase; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000215; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand >> Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; >> nocase; uricontent:"commandId="; nocase; >> pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000216; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping >> UserCommand Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/userCommands/ping"; nocase; >> uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; >> nocase; uricontent:"ScreenName=userCommandDetail"; nocase; >> classtype:web-application-attack; reference: >> www.securityfocus.com/bid/37843; sid:18000217; rev:1;) >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > Joel Esler > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/f5326354/attachment.html From evilghost at packetmail.net Wed Feb 3 11:14:13 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 3 Feb 2010 10:14:13 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> Message-ID: <4B69A0D5.5010204@packetmail.net> *BUMP*. Darren Spruell wrote: > Agreed, seems like they'll be fine. > > DS > > On Tue, Feb 2, 2010 at 11:34 AM, evilghost at packetmail.net > wrote: > >> My vote - Try the Mike Cox signatures, if they false like the current >> Oficla is, then we revert to a PCRE with ordering and write multiple >> signatures to account for the ordering differences that Darren identified. >> >> These would be: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; >> flow:established,to_server; content:"GET "; nocase; depth:4; >> content:!"|0d 0a|Referer\: "; nocase; >> content:!"|0d 0a|Accept-Encoding\: "; nocase; >> uricontent:".php?"; nocase; >> uricontent:"v="; nocase; uricontent:"&id="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; >> sid:2010743; rev:2;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; >> flow:established,to_server; content:"GET "; nocase; depth:4; >> content:!"|0d 0a|Referer\: "; nocase; >> content:!"|0d 0a|Accept-Encoding\: "; nocase; >> uricontent:".php?"; nocase; >> uricontent:"id="; nocase; uricontent:"&v="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; >> sid:2010xxx; rev:1;) >> >> >> >> -evilghost >> >> Matt Jonkman wrote: >> >>> Great discussion! Can I ask for a final sig from the working group here >>> then? :) >>> >>> Which will be the way to go? (sorry, I'm time-bandwidth limited this >>> week so can't really hop in to slug it out for a few days) >>> >>> Matt >>> >>> On 2/1/10 2:49 PM, Mike Cox wrote: >>> >>> >>>> Whoops, I responded to the wrong thread. This should have been for the >>>> Oficla thread. Sorry about that. >>>> >>>> --Mike Cox >>>> >>>> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox >>> > wrote: >>>> >>>> I sent this last week but it never made it thru to the list (maybe >>>> it got spam filtered because of the link?). I am seeing FPs on >>>> strings like this (you will need to base64 decode it) >>>> >>>> Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== >>>> >>>> So I say we try no PCRE (yet) but use '&' on some of the >>>> parameters. We would only need two rules then: >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>> uricontent:"v="; nocase; uricontent:"&id="; nocase; >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>>> ; >>>> sid:2010743; rev:2;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>> uricontent:"id="; nocase; uricontent:"&v="; nocase; >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>> classtype:trojan-activity; >>>> reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>>> ; >>>> sid:2010xxx; rev:1;) >>>> >>>> -Mike Cox >>>> >>>> >>>> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell >>>> > wrote: >>>> >>>> ZeuS/Zbot config and dropzone URLs are all over the place and don't >>>> follow a standard convention (they're configurable on the >>>> server/builder side). You could argue that they're appropriate for >>>> current events detection at best, probably. >>>> >>>> Examples: >>>> >>>> https://zeustracker.abuse.ch/monitor.php?browse=configs >>>> >>>> DS. >>>> >>>> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 >>> > wrote: >>>> > After a thorough review of captures from another 40 Zbot >>>> samples this AM, I >>>> > see two additional, consistent request types: >>>> > >>>> > GET /1cfg.bin HTTP/1.0 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: >>>> > Pragma: no-cache >>>> > >>>> > GET /conf.sts HTTP/1.1 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: >>>> > Pragma: no-cache >>>> > >>>> > And one outlier (only 1 sample that did this)... >>>> > >>>> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: www.rusibank.com >>>> > Pragma: no-cache >>>> > >>>> > The rule I'm running locally to catch everything I've seen >>>> thus far, minus >>>> > the outlier: >>>> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"ET TROJAN >>>> > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >>>> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>> > >>>> pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >>>> > classtype:trojan-activity; >>>> > >>>> reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >>>> ; >>>> > rev:3;) >>>> > >>>> > Thoughts? >>>> > >>>> > dn1nj4 >>>> > >>>> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >>>> > wrote: >>>> >> I just ran across another Zbot sample with the following header: >>>> >> >>>> >> GET /immagini/eg.bin HTTP/1.1 >>>> >> Accept: */* >>>> >> Connection: Close >>>> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>>> 5.1; SV1) >>>> >> Host: www.ato5enna.it >>>> >> Pragma: no-cache >>>> >> >>>> >> Would it be better to drop the Win32 and add eg.bin to the >>>> pcre or create >>>> >> an entirely different signature? Also, classifcation should be >>>> > classtype. >>>> >> >>>> >> dn1nj4 >>>> >> >>>> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >>>> >>> From: dn1nj4 >>> > >>>> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, >>>> Issue 2 >>>> >>> To: >>> > >>>> >>> Message-ID: >>>> >>> > >>>> >>> Content-Type: text/plain; charset="UTF-8" >>>> >>> >>>> >>> Thanks for the feedback. Drawing on evilghost and Mike's >>>> >> recommendations: >>>> >>> >>>> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"ET TROJAN >>>> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; >>>> content:"|0d >>>> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >>>> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>> >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >>>> >>> classification:trojan-activity; reference:url, >>>> >>> >>>> >> >>>> > >>>> www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >>>> ; >>>> >>> sid:2010xxx; rev:3;) >>>> > >>>> > _______________________________________________ >>>> > Emerging-sigs mailing list >>>> > Emerging-sigs at emergingthreats.net >>>> >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> > >>>> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>> Mugs and Lanyards >>>> > >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> > >>>> >>>> >>>> >>>> -- >>>> Darren Spruell >>>> phatbuckett at gmail.com >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>> Mugs and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> > > > > From shyaam at gmail.com Wed Feb 3 11:18:07 2010 From: shyaam at gmail.com (Shyaam) Date: Wed, 3 Feb 2010 16:18:07 +0000 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: References: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> Message-ID: Hello Kevin, I dont think that the intent here was to forget the PCRE. But in this case alone, the content and PCRE resolves to the same right. Hence, why match on the same thing in 2 different ways. Shyaam On Wed, Feb 3, 2010 at 4:13 PM, Kevin Ross wrote: > so is it best just to forget the PCRE on the buffer overflow sigs > altogether? Also how would a negative content match in the pcre look for > example in this pcre: pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; ? > > > On 3 February 2010 15:17, Joel Esler wrote: > >> If you are going to invoke PCRE to do the check, why not do the negative >> "content" match in the pcre as well. I don't think it makes any sense to >> have both.. >> >> J >> >> On Wed, Feb 3, 2010 at 8:07 AM, Kevin Ross wrote: >> >>> Here are some sigs, and as far as I understand it snort should be fine >>> the isdataat match at 60000 (the buffer overflow is actually triggered about >>> the 100000ish mark)? >>> >>> I hae also attached the sigs I sent the other day that weren't posted so >>> all my posted sigs are together. >>> >>> Regards, Kev >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT VLC >>> Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; >>> flow:established,to_server; uricontent:".ass"; nocase; >>> classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; >>> sid:16000011; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT VLC >>> Media Player .ass File Buffer Overflow Attempt"; >>> flowbits:isset,ET.ass.request; flow:established,to_client; >>> content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; >>> within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; >>> reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; >>> rev:1;) >>> >>> # These are ones I sent you also the other day >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox >>> WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; >>> content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; >>> content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; >>> classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; >>> sid:18000211; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >>> Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer >>> Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; >>> isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA >>> SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; >>> sid:18000218; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >>> Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow >>> Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; >>> nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; >>> within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; >>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; >>> reference:cve,2009-4195; sid:18000219; rev:1;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >>> WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information >>> Disclosure Attempt"; flow:established,to_server; >>> uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; >>> uricontent:"userdisplay="; nocase; >>> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; >>> classtype:web-application-attack; reference:url, >>> www.securityfocus.com/bid/37848; sid:18000212; rev:1;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >>> WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; >>> flow:established,to_server; uricontent:"/admin/config.php"; nocase; >>> uricontent:"display="; nocase; uricontent:"filter="; nocase; >>> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; >>> classtype:web-application-attack; reference:url, >>> www.securityfocus.com/bid/37847; sid:18000213; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>> Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap >>> Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; >>> nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; >>> content:"ViewProfile"; nocase; >>> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; >>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; >>> sid:18000214; rev:1;) >>> >>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; >>> flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; >>> uricontent:"defaultAdminLevel"; nocase; >>> uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; >>> nocase; uricontent:"password="; nocase; >>> uricontent:"zenScreenName=editUserSettings"; nocase; >>> classtype:web-application-attack; reference: >>> www.securityfocus.com/bid/37843; sid:18000215; rev:1;) >>> >>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand >>> Attempt"; flow:established,to_server; >>> uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; >>> nocase; uricontent:"commandId="; nocase; >>> pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; >>> classtype:web-application-attack; reference: >>> www.securityfocus.com/bid/37843; sid:18000216; rev:1;) >>> >>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping >>> UserCommand Attempt"; flow:established,to_server; >>> uricontent:"/zport/dmd/userCommands/ping"; nocase; >>> uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; >>> nocase; uricontent:"ScreenName=userCommandDetail"; nocase; >>> classtype:web-application-attack; reference: >>> www.securityfocus.com/bid/37843; sid:18000217; rev:1;) >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> >> -- >> Joel Esler >> > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/97278493/attachment.html From jonkman at jonkmans.com Wed Feb 3 11:35:43 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 11:35:43 -0500 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: References: Message-ID: <4B69A5DF.7080805@jonkmans.com> Separating this thread out so we can discuss. Added the VLC sigs, thanks Kevin! Matt On 2/3/10 8:07 AM, Kevin Ross wrote: > Here are some sigs, and as far as I understand it snort should be fine > the isdataat match at 60000 (the buffer overflow is actually triggered > about the 100000ish mark)? > > I hae also attached the sigs I sent the other day that weren't posted so > all my posted sigs are together. > > Regards, Kev > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT > VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit > set"; flow:established,to_server; uricontent:".ass"; nocase; > classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; > sid:16000011; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > VLC Media Player .ass File Buffer Overflow Attempt"; > flowbits:isset,ET.ass.request; flow:established,to_client; > content:"Dialogue|3A|"; nocase; isdataat:60000,relative; > content:!"|0A|"; within:60000; pcre:"/Dialogue.{60000}/smi"; > classtype:attempted-user; > reference:url,www.securityfocus.com/bid/37832/info > ; sid:16000012; rev:1;) > > # These are ones I sent you also the other day > > alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox > WorkCentre PJL Daemon Buffer Overflow Attempt"; > flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; > nocase; isdataat:55,relative; content:!"|0A|"; within:55; > pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; > reference:url,www.securityfocus.com/bid/38010 > ; sid:18000211; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack > Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA > SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; > pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; > reference:cve,2009-3050; sid:18000218; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow > Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; > nocase; content:"%"; within:50; isdataat:42000,relative; > content:!"|0A|"; within:42000; > pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192 > ; reference:cve,2009-4195; > sid:18000219; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information > Disclosure Attempt"; flow:established,to_server; > uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; > uricontent:"userdisplay="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37848 > ; sid:18000212; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; > flow:established,to_server; uricontent:"/admin/config.php"; nocase; > uricontent:"display="; nocase; uricontent:"filter="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37847 > ; sid:18000213; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap > Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; > nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; > distance:0; content:"ViewProfile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834 > ; sid:18000214; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; > flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; > nocase; uricontent:"defaultAdminLevel"; nocase; > uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; > nocase; uricontent:"password="; nocase; > uricontent:"zenScreenName=editUserSettings"; nocase; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000215; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand > Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; > nocase; uricontent:"commandId="; nocase; > pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000216; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping > UserCommand Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/userCommands/ping"; nocase; > uricontent:"commandId=ping"; nocase; > uricontent:"manage_editUserCommand"; nocase; > uricontent:"ScreenName=userCommandDetail"; nocase; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000217; rev:1;) > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Wed Feb 3 11:48:24 2010 From: eslerj at gmail.com (Joel Esler) Date: Wed, 3 Feb 2010 11:48:24 -0500 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: References: <314cf0831002030717y72a62bfax9f1b55016933fbf@mail.gmail.com> Message-ID: <314cf0831002030848g663af74aqddb93db9aa603c4a@mail.gmail.com> Essentially, yes, this is what I was saying. Kevin, To answer your previous email, take a look at the format for the CLSID rules that you got from the VRT set. There are negatives in pcre in there. That should provide you want. (I'm a believer in giving people a direction to figure it out on their own. I believe you don't learn by giving someone the answer, you provide them the tools to learn it for themselves) J On Wed, Feb 3, 2010 at 11:18 AM, Shyaam wrote: > Hello Kevin, > > I dont think that the intent here was to forget the PCRE. But in this case > alone, the content and PCRE resolves to the same right. Hence, why match on > the same thing in 2 different ways. > > Shyaam > > > On Wed, Feb 3, 2010 at 4:13 PM, Kevin Ross wrote: > >> so is it best just to forget the PCRE on the buffer overflow sigs >> altogether? Also how would a negative content match in the pcre look for >> example in this pcre: pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; ? >> >> >> On 3 February 2010 15:17, Joel Esler wrote: >> >>> If you are going to invoke PCRE to do the check, why not do the negative >>> "content" match in the pcre as well. I don't think it makes any sense to >>> have both.. >>> >>> J >>> >>> On Wed, Feb 3, 2010 at 8:07 AM, Kevin Ross wrote: >>> >>>> Here are some sigs, and as far as I understand it snort should be fine >>>> the isdataat match at 60000 (the buffer overflow is actually triggered about >>>> the 100000ish mark)? >>>> >>>> I hae also attached the sigs I sent the other day that weren't posted so >>>> all my posted sigs are together. >>>> >>>> Regards, Kev >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT >>>> VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit >>>> set"; flow:established,to_server; uricontent:".ass"; nocase; >>>> classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; >>>> sid:16000011; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >>>> VLC Media Player .ass File Buffer Overflow Attempt"; >>>> flowbits:isset,ET.ass.request; flow:established,to_client; >>>> content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; >>>> within:60000; pcre:"/Dialogue.{60000}/smi"; classtype:attempted-user; >>>> reference:url,www.securityfocus.com/bid/37832/info; sid:16000012; >>>> rev:1;) >>>> >>>> # These are ones I sent you also the other day >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox >>>> WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; >>>> content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; >>>> content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; >>>> classtype:attempted-admin; reference:url, >>>> www.securityfocus.com/bid/38010; sid:18000211; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >>>> Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer >>>> Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; >>>> isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA >>>> SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; >>>> sid:18000218; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >>>> Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow >>>> Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; >>>> nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; >>>> within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; >>>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; >>>> reference:cve,2009-4195; sid:18000219; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >>>> WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information >>>> Disclosure Attempt"; flow:established,to_server; >>>> uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; >>>> uricontent:"userdisplay="; nocase; >>>> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; >>>> classtype:web-application-attack; reference:url, >>>> www.securityfocus.com/bid/37848; sid:18000212; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >>>> WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; >>>> flow:established,to_server; uricontent:"/admin/config.php"; nocase; >>>> uricontent:"display="; nocase; uricontent:"filter="; nocase; >>>> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; >>>> classtype:web-application-attack; reference:url, >>>> www.securityfocus.com/bid/37847; sid:18000213; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >>>> Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap >>>> Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; >>>> nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; >>>> content:"ViewProfile"; nocase; >>>> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; >>>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; >>>> sid:18000214; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; >>>> flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; >>>> uricontent:"defaultAdminLevel"; nocase; >>>> uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; >>>> nocase; uricontent:"password="; nocase; >>>> uricontent:"zenScreenName=editUserSettings"; nocase; >>>> classtype:web-application-attack; reference: >>>> www.securityfocus.com/bid/37843; sid:18000215; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand >>>> Attempt"; flow:established,to_server; >>>> uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; >>>> nocase; uricontent:"commandId="; nocase; >>>> pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; >>>> classtype:web-application-attack; reference: >>>> www.securityfocus.com/bid/37843; sid:18000216; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>>> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping >>>> UserCommand Attempt"; flow:established,to_server; >>>> uricontent:"/zport/dmd/userCommands/ping"; nocase; >>>> uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; >>>> nocase; uricontent:"ScreenName=userCommandDetail"; nocase; >>>> classtype:web-application-attack; reference: >>>> www.securityfocus.com/bid/37843; sid:18000217; rev:1;) >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>>> Lanyards >>>> >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>> >>> >>> >>> -- >>> Joel Esler >>> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > Thank you in advance for your time and consideration. > Kind Regards, > Shyaam Sundhar R.S. > www.EvilFingers.com > www.RootkitAnalytics.com > > > Certs: > GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, > GCIA, GCIH, CAS > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/13f7e267/attachment-0001.html From spooker at gmail.com Wed Feb 3 11:55:34 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Wed, 3 Feb 2010 14:55:34 -0200 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin In-Reply-To: References: Message-ID: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> Why do we need the pcre? I think the rule is good without PCRE . Regards, On Wed, Feb 3, 2010 at 1:27 PM, Kevin Ross wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis > Botnet C&C Checkin"; flow:established,to_server; > uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; > uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; > pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; > classtype:trojan-activity; > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; > rev:1;) > > Based on this www.fortiguard.com/analysis/sasfisanalysis.html > Kev > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From jonkman at jonkmans.com Wed Feb 3 11:58:51 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 11:58:51 -0500 Subject: [Emerging-Sigs] 3 sigs In-Reply-To: References: Message-ID: <4B69AB4B.5070009@jonkmans.com> These three scare me a bit. Comments below: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:2010760; rev:1;) I think we're looking at massive FP possibilities. Just having an html page with MEDIA SIZE and 200 more characters will trip it. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;) Concerns here too for falses. Anything we can do to tighten it up? If not we can run with it. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information Disclosure Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"userdisplay="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37848; sid:18000212; rev:1;) Very common phrases there. ANything else we can add? Thanks Matt On 2/3/10 8:07 AM, Kevin Ross wrote: > Here are some sigs, and as far as I understand it snort should be fine > the isdataat match at 60000 (the buffer overflow is actually triggered > about the 100000ish mark)? > > I hae also attached the sigs I sent the other day that weren't posted so > all my posted sigs are together. > > Regards, Kev > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT > VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit > set"; flow:established,to_server; uricontent:".ass"; nocase; > classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; > sid:16000011; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > VLC Media Player .ass File Buffer Overflow Attempt"; > flowbits:isset,ET.ass.request; flow:established,to_client; > content:"Dialogue|3A|"; nocase; isdataat:60000,relative; > content:!"|0A|"; within:60000; pcre:"/Dialogue.{60000}/smi"; > classtype:attempted-user; > reference:url,www.securityfocus.com/bid/37832/info > ; sid:16000012; rev:1;) > > # These are ones I sent you also the other day > > alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox > WorkCentre PJL Daemon Buffer Overflow Attempt"; > flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; > nocase; isdataat:55,relative; content:!"|0A|"; within:55; > pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; > reference:url,www.securityfocus.com/bid/38010 > ; sid:18000211; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack > Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA > SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; > pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; > reference:cve,2009-3050; sid:18000218; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow > Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; > nocase; content:"%"; within:50; isdataat:42000,relative; > content:!"|0A|"; within:42000; > pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192 > ; reference:cve,2009-4195; > sid:18000219; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information > Disclosure Attempt"; flow:established,to_server; > uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; > uricontent:"userdisplay="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37848 > ; sid:18000212; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; > flow:established,to_server; uricontent:"/admin/config.php"; nocase; > uricontent:"display="; nocase; uricontent:"filter="; nocase; > pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37847 > ; sid:18000213; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap > Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; > nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; > distance:0; content:"ViewProfile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; > classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834 > ; sid:18000214; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; > flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; > nocase; uricontent:"defaultAdminLevel"; nocase; > uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; > nocase; uricontent:"password="; nocase; > uricontent:"zenScreenName=editUserSettings"; nocase; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000215; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand > Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; > nocase; uricontent:"commandId="; nocase; > pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000216; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping > UserCommand Attempt"; flow:established,to_server; > uricontent:"/zport/dmd/userCommands/ping"; nocase; > uricontent:"commandId=ping"; nocase; > uricontent:"manage_editUserCommand"; nocase; > uricontent:"ScreenName=userCommandDetail"; nocase; > classtype:web-application-attack; > reference:www.securityfocus.com/bid/37843 > ; sid:18000217; rev:1;) > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From spooker at gmail.com Wed Feb 3 12:01:53 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Wed, 3 Feb 2010 15:01:53 -0200 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin In-Reply-To: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> References: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> Message-ID: <9255886c1002030901k3594c85axbdf940f09fa2daa1@mail.gmail.com> Reading it better I suggest some modifications I saw all those GET GET /loader/bb.php?id=573722615&v=200&tm=292&b=31,12 GET /mld/bb.php?id=573722615&v=200&tm=37&b=do&tid=7&r=000 HTTP/1.1 GET /loader/bb.php?id=573722615&v=200&tm=323&b=31,12&tid=3&r=1 GET /master/bb.php?id=573722615&v=200&tm=50&b=biguprus&tid=18&r=1 What is common is bb.php , id= , v= , tm= . alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet C&C Checkin"; flow:established,to_server; uricontent:"bb.php"; nocase; uricontent:"id="; nocase; uricontent:"v="; nocase; uricontent:"tm=";nocase; classtype:trojan-activity; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; rev:1;) What do you think ? In my opinion it'll be generic for all cases at this reference. Regards, On Wed, Feb 3, 2010 at 2:55 PM, Rodrigo Montoro(Sp0oKeR) wrote: > Why do we need the pcre? > > I think the rule is good without PCRE . > > > Regards, > > On Wed, Feb 3, 2010 at 1:27 PM, Kevin Ross wrote: >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis >> Botnet C&C Checkin"; flow:established,to_server; >> uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; >> uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; >> pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; >> classtype:trojan-activity; >> reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; >> rev:1;) >> >> Based on this www.fortiguard.com/analysis/sasfisanalysis.html >> Kev >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > Rodrigo Montoro (Sp0oKeR) > http://www.spooker.com.br > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From eslerj at gmail.com Wed Feb 3 12:07:16 2010 From: eslerj at gmail.com (Joel Esler) Date: Wed, 3 Feb 2010 12:07:16 -0500 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin In-Reply-To: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> References: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> Message-ID: <314cf0831002030907r4e1c8311l3e789807b3401be2@mail.gmail.com> Agreed. J On Wed, Feb 3, 2010 at 11:55 AM, Rodrigo Montoro(Sp0oKeR) wrote: > Why do we need the pcre? > > I think the rule is good without PCRE . > > > Regards, > > On Wed, Feb 3, 2010 at 1:27 PM, Kevin Ross > wrote: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Sasfis > > Botnet C&C Checkin"; flow:established,to_server; > > uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; > > uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; > > > pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; > > classtype:trojan-activity; > > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; > sid:1330001; > > rev:1;) > > > > Based on this www.fortiguard.com/analysis/sasfisanalysis.html > > Kev > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > > Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > -- > Rodrigo Montoro (Sp0oKeR) > http://www.spooker.com.br > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/fca4005f/attachment.html From jonkman at jonkmans.com Wed Feb 3 12:14:38 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 12:14:38 -0500 Subject: [Emerging-Sigs] SIG VLC Media Player .ass File Buffer Overflow Attempt In-Reply-To: <4B69A5DF.7080805@jonkmans.com> References: <4B69A5DF.7080805@jonkmans.com> Message-ID: <4B69AEFE.4000404@jonkmans.com> The remainder posted. Thanks Kevin! Matt On 2/3/10 11:35 AM, Matt Jonkman wrote: > Separating this thread out so we can discuss. Added the VLC sigs, thanks > Kevin! > > Matt > > On 2/3/10 8:07 AM, Kevin Ross wrote: >> Here are some sigs, and as far as I understand it snort should be fine >> the isdataat match at 60000 (the buffer overflow is actually triggered >> about the 100000ish mark)? >> >> I hae also attached the sigs I sent the other day that weren't posted so >> all my posted sigs are together. >> >> Regards, Kev >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT >> VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit >> set"; flow:established,to_server; uricontent:".ass"; nocase; >> classtype:not-suspicious; flowbits:set,ET.ass.request; flowbits:noalert; >> sid:16000011; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> VLC Media Player .ass File Buffer Overflow Attempt"; >> flowbits:isset,ET.ass.request; flow:established,to_client; >> content:"Dialogue|3A|"; nocase; isdataat:60000,relative; >> content:!"|0A|"; within:60000; pcre:"/Dialogue.{60000}/smi"; >> classtype:attempted-user; >> reference:url,www.securityfocus.com/bid/37832/info >> ; sid:16000012; rev:1;) >> >> # These are ones I sent you also the other day >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox >> WorkCentre PJL Daemon Buffer Overflow Attempt"; >> flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; >> nocase; isdataat:55,relative; content:!"|0A|"; within:55; >> pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; >> reference:url,www.securityfocus.com/bid/38010 >> ; sid:18000211; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack >> Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA >> SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; >> pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; >> reference:cve,2009-3050; sid:18000218; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT >> Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow >> Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; >> nocase; content:"%"; within:50; isdataat:42000,relative; >> content:!"|0A|"; within:42000; >> pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192 >> ; reference:cve,2009-4195; >> sid:18000219; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information >> Disclosure Attempt"; flow:established,to_server; >> uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; >> uricontent:"userdisplay="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; >> reference:url,www.securityfocus.com/bid/37848 >> ; sid:18000212; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; >> flow:established,to_server; uricontent:"/admin/config.php"; nocase; >> uricontent:"display="; nocase; uricontent:"filter="; nocase; >> pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; >> classtype:web-application-attack; >> reference:url,www.securityfocus.com/bid/37847 >> ; sid:18000213; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT >> Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap >> Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; >> nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; >> distance:0; content:"ViewProfile"; nocase; >> pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; >> classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834 >> ; sid:18000214; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; >> flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; >> nocase; uricontent:"defaultAdminLevel"; nocase; >> uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; >> nocase; uricontent:"password="; nocase; >> uricontent:"zenScreenName=editUserSettings"; nocase; >> classtype:web-application-attack; >> reference:www.securityfocus.com/bid/37843 >> ; sid:18000215; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand >> Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; >> nocase; uricontent:"commandId="; nocase; >> pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; >> classtype:web-application-attack; >> reference:www.securityfocus.com/bid/37843 >> ; sid:18000216; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping >> UserCommand Attempt"; flow:established,to_server; >> uricontent:"/zport/dmd/userCommands/ping"; nocase; >> uricontent:"commandId=ping"; nocase; >> uricontent:"manage_editUserCommand"; nocase; >> uricontent:"ScreenName=userCommandDetail"; nocase; >> classtype:web-application-attack; >> reference:www.securityfocus.com/bid/37843 >> ; sid:18000217; rev:1;) >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 3 12:15:32 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 12:15:32 -0500 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin In-Reply-To: <314cf0831002030907r4e1c8311l3e789807b3401be2@mail.gmail.com> References: <9255886c1002030855s186d1019s653c5fadbfa80f44@mail.gmail.com> <314cf0831002030907r4e1c8311l3e789807b3401be2@mail.gmail.com> Message-ID: <4B69AF34.1030208@jonkmans.com> Modified! Thanks On 2/3/10 12:07 PM, Joel Esler wrote: > Agreed. > > J > > On Wed, Feb 3, 2010 at 11:55 AM, Rodrigo Montoro(Sp0oKeR) > > wrote: > > Why do we need the pcre? > > I think the rule is good without PCRE . > > > Regards, > > On Wed, Feb 3, 2010 at 1:27 PM, Kevin Ross > wrote: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN Sasfis > > Botnet C&C Checkin"; flow:established,to_server; > > uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; > > uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; > > > pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; > > classtype:trojan-activity; > > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html > ; sid:1330001; > > rev:1;) > > > > Based on this www.fortiguard.com/analysis/sasfisanalysis.html > > > Kev > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > > Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > -- > Rodrigo Montoro (Sp0oKeR) > http://www.spooker.com.br > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > -- > Joel Esler > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From wkitty42 at windstream.net Wed Feb 3 12:56:45 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Wed, 03 Feb 2010 12:56:45 -0500 Subject: [Emerging-Sigs] Updated Sig 2001669, was Strange GET - Requests In-Reply-To: <4B6945CC.2030305@mare-system.de> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <1265142128.53439.56.camel@localhost> <9255886c1002021316j534457dbk9a8656e6aaed8d4f@mail.gmail.com> <4B6945CC.2030305@mare-system.de> Message-ID: <4B69B8DD.8060506@windstream.net> On 2/3/2010 04:45, mex wrote: > > yeah, right; i expected that in web_server.rules, not > in policy; i usually don't load policy.rules. me either... especially not with one looking outside... i could see being in POLICY if it were one (on the inside) watching outbound traffic... > due to your and franks and other's suggestions i propose the following > sig-update to cover this issue (and maybe place them in emerging-web_servers.rules??) and alter the "ET POLICY" portion of the msg to also reflect the web_server file/category ;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET "; depth:4; content:"\://"; nocase; within:10; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001669; rev:8;) > > > Rodrigo Montoro(Sp0oKeR) wrote: >> We have this rule already for part of http request at least =) >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From phatbuckett at gmail.com Wed Feb 3 13:10:40 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 3 Feb 2010 11:10:40 -0700 Subject: [Emerging-Sigs] SIG Sasfis Botnet C&C Checkin In-Reply-To: References: Message-ID: <839aec701002031010v2fc3db3cyac7cdf26ff77555e@mail.gmail.com> On Wed, Feb 3, 2010 at 8:27 AM, Kevin Ross wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis > Botnet C&C Checkin"; flow:established,to_server; > uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; > uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; > pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]\rmx3D[0-9].+b\x3D/Ui"; > classtype:trojan-activity; > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; > rev:1;) > > Based on this www.fortiguard.com/analysis/sasfisanalysis.html This is what's also commonly known as Oficla, see recent discussion on this list over the last few days. The above sig is written to the analysis but the analysis fails to cover the big picture; script names and paths are variable (/master/bb.php isn't static, e.g.): /blog/bb.php /buzzo/det.php /con/bb.php /css/ss.php /dmr/bb.php /l/bb.php /loader/bb.php /master/bb.php /mld/bb.php /my/736006.php /my/bb.php /myl/bb.php /mylo/bb.php /packpack/bb.php /park/bb.php /t/scb.php /update/bb.php There seems to be a number of flaws in the pcre too that would cause it to not match. Probably best served keeping the outcome of threat '[Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign)' to eliminate dupes... http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-February/006018.html -- Darren Spruell phatbuckett at gmail.com From greencm at gmail.com Wed Feb 3 13:16:33 2010 From: greencm at gmail.com (Chris Green) Date: Wed, 3 Feb 2010 12:16:33 -0600 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> Message-ID: I really like both and wish I had a good indicator in the rules on which is which. 1) The attack - I like seeing the fake requests though they aren't actionable by themselves. If I notice they are all isolated to one network, plop in the blacklist unless a user complains. 2) The Executable download - Same but I can generally send a warning to affected users 3) An active infection - This system is checking in with something and we need to run an incident response process for it. On Tue, Feb 2, 2010 at 12:17 PM, Darren Spruell wrote: > When I put 2010347 together I intentionally left 'hitin.php' out of > the picture because the fakeAVs have been a bit of a moving target and > I didn't want to risk FNs should the page names change or become > variable (as we've seen happen with a few HTTP C&C cases). If this > were to happen we'd be out detection if not flagging the > parameter-laden requests sans page name. > > That said, it's been my assumption that while the full scope of > requests handled by /hitin.php would not be picked up by 2010347 that > at some point in the infection chain every client will make that > request at least once, giving a reliable detection. My view has been > that it's not critical to pick up every request but rather flag on at > least a single reliable indicator per compromise. > > -- > Darren Spruell > phatbuckett at gmail.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Chris Green From mike.cox52 at gmail.com Wed Feb 3 13:34:02 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Wed, 3 Feb 2010 12:34:02 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <4B69A0D5.5010204@packetmail.net> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> <4B69A0D5.5010204@packetmail.net> Message-ID: <6116b9e21002031034p7133d153q982eebe19a880f4c@mail.gmail.com> *SET* On Wed, Feb 3, 2010 at 10:14 AM, evilghost at packetmail.net < evilghost at packetmail.net> wrote: > *BUMP*. > > Darren Spruell wrote: > > Agreed, seems like they'll be fine. > > > > DS > > > > On Tue, Feb 2, 2010 at 11:34 AM, evilghost at packetmail.net > > wrote: > > > >> My vote - Try the Mike Cox signatures, if they false like the current > >> Oficla is, then we revert to a PCRE with ordering and write multiple > >> signatures to account for the ordering differences that Darren > identified. > >> > >> These would be: > >> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; > >> flow:established,to_server; content:"GET "; nocase; depth:4; > >> content:!"|0d 0a|Referer\: "; nocase; > >> content:!"|0d 0a|Accept-Encoding\: "; nocase; > >> uricontent:".php?"; nocase; > >> uricontent:"v="; nocase; uricontent:"&id="; nocase; > >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >> classtype:trojan-activity; > >> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > >> sid:2010743; rev:2;) > >> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; > >> flow:established,to_server; content:"GET "; nocase; depth:4; > >> content:!"|0d 0a|Referer\: "; nocase; > >> content:!"|0d 0a|Accept-Encoding\: "; nocase; > >> uricontent:".php?"; nocase; > >> uricontent:"id="; nocase; uricontent:"&v="; nocase; > >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >> classtype:trojan-activity; > >> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; > >> sid:2010xxx; rev:1;) > >> > >> > >> > >> -evilghost > >> > >> Matt Jonkman wrote: > >> > >>> Great discussion! Can I ask for a final sig from the working group here > >>> then? :) > >>> > >>> Which will be the way to go? (sorry, I'm time-bandwidth limited this > >>> week so can't really hop in to slug it out for a few days) > >>> > >>> Matt > >>> > >>> On 2/1/10 2:49 PM, Mike Cox wrote: > >>> > >>> > >>>> Whoops, I responded to the wrong thread. This should have been for > the > >>>> Oficla thread. Sorry about that. > >>>> > >>>> --Mike Cox > >>>> > >>>> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox >>>> > wrote: > >>>> > >>>> I sent this last week but it never made it thru to the list (maybe > >>>> it got spam filtered because of the link?). I am seeing FPs on > >>>> strings like this (you will need to base64 decode it) > >>>> > >>>> > Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== > >>>> > >>>> So I say we try no PCRE (yet) but use '&' on some of the > >>>> parameters. We would only need two rules then: > >>>> > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN > >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; > nocase; > >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > >>>> uricontent:"v="; nocase; uricontent:"&id="; nocase; > >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >>>> classtype:trojan-activity; > >>>> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >>>> < > http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >; > >>>> sid:2010743; rev:2;) > >>>> > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN > >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; > nocase; > >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d > >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; > >>>> uricontent:"id="; nocase; uricontent:"&v="; nocase; > >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; > >>>> classtype:trojan-activity; > >>>> reference:url, > www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >>>> < > http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c > >; > >>>> sid:2010xxx; rev:1;) > >>>> > >>>> -Mike Cox > >>>> > >>>> > >>>> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell > >>>> > wrote: > >>>> > >>>> ZeuS/Zbot config and dropzone URLs are all over the place and > don't > >>>> follow a standard convention (they're configurable on the > >>>> server/builder side). You could argue that they're appropriate > for > >>>> current events detection at best, probably. > >>>> > >>>> Examples: > >>>> > >>>> https://zeustracker.abuse.ch/monitor.php?browse=configs > >>>> > >>>> DS. > >>>> > >>>> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 < > dn1nj4 at shadowserver.org > >>>> > wrote: > >>>> > After a thorough review of captures from another 40 Zbot > >>>> samples this AM, I > >>>> > see two additional, consistent request types: > >>>> > > >>>> > GET /1cfg.bin HTTP/1.0 > >>>> > Accept: */* > >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >>>> > Host: > >>>> > Pragma: no-cache > >>>> > > >>>> > GET /conf.sts HTTP/1.1 > >>>> > Accept: */* > >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >>>> > Host: > >>>> > Pragma: no-cache > >>>> > > >>>> > And one outlier (only 1 sample that did this)... > >>>> > > >>>> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 > >>>> > Accept: */* > >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) > >>>> > Host: www.rusibank.com > >>>> > Pragma: no-cache > >>>> > > >>>> > The rule I'm running locally to catch everything I've seen > >>>> thus far, minus > >>>> > the outlier: > >>>> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"ET TROJAN > >>>> > Zbot/Zeus Download Request"; content:"GET "; depth:4; > content:"|0d > >>>> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; > >>>> > > >>>> > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; > >>>> > classtype:trojan-activity; > >>>> > > >>>> reference:url, > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > >>>> < > http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 > >; > >>>> > rev:3;) > >>>> > > >>>> > Thoughts? > >>>> > > >>>> > dn1nj4 > >>>> > > >>>> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 > >>>> > > wrote: > >>>> >> I just ran across another Zbot sample with the following > header: > >>>> >> > >>>> >> GET /immagini/eg.bin HTTP/1.1 > >>>> >> Accept: */* > >>>> >> Connection: Close > >>>> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > >>>> 5.1; SV1) > >>>> >> Host: www.ato5enna.it > >>>> >> Pragma: no-cache > >>>> >> > >>>> >> Would it be better to drop the Win32 and add eg.bin to the > >>>> pcre or create > >>>> >> an entirely different signature? Also, classifcation > should be > >>>> > classtype. > >>>> >> > >>>> >> dn1nj4 > >>>> >> > >>>> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 > >>>> >>> From: dn1nj4 >>>> > > >>>> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, > >>>> Issue 2 > >>>> >>> To: >>>> > > >>>> >>> Message-ID: > >>>> >>>> > > >>>> >>> Content-Type: text/plain; charset="UTF-8" > >>>> >>> > >>>> >>> Thanks for the feedback. Drawing on evilghost and Mike's > >>>> >> recommendations: > >>>> >>> > >>>> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"ET TROJAN > >>>> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; > >>>> content:"|0d > >>>> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d > >>>> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; > >>>> >>> > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; > >>>> >>> classification:trojan-activity; reference:url, > >>>> >>> > >>>> >> > >>>> > > >>>> > www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > >>>> < > http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ > >; > >>>> >>> sid:2010xxx; rev:3;) > >>>> > > >>>> > _______________________________________________ > >>>> > Emerging-sigs mailing list > >>>> > Emerging-sigs at emergingthreats.net > >>>> > >>>> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > > >>>> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > >>>> Mugs and Lanyards > >>>> > > >>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>> > > >>>> > >>>> > >>>> > >>>> -- > >>>> Darren Spruell > >>>> phatbuckett at gmail.com > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> > >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee > >>>> Mugs and Lanyards > >>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > >>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>> > >>>> > >>> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > >> > > > > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/c65d61e3/attachment-0001.html From mike.cox52 at gmail.com Wed Feb 3 14:35:20 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Wed, 3 Feb 2010 13:35:20 -0600 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> Message-ID: <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> Well, since there is no 0xF0 value in 7 bit ASCII, that is going to be hard to do. Does the uricontent keyword support specifying binary in between pipes?. Does the URI normalization remove non-printable characters? -Mike Cox On Wed, Feb 3, 2010 at 9:14 AM, Joel Esler wrote: > No. Not sure what you are trying to do here, but... No. > > If you are trying to translate "%F0". The the ASCII equiv, that's what you > need to put in the content match, but |F0| is not correctly. > > J > > > On Wed, Feb 3, 2010 at 8:41 AM, Mike Cox wrote: > >> If you are doing a uricontent match, wouldn't it match against the >> normalized URI buffer so you would need to look for >> 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? >> >> -Mike Cox >> >> >> On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: >> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >>> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >>> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >>> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >>> sid:xxxxxx; rev:1;) >>> >>> >>> Thanks, >>> Wolvee.. >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > Joel Esler > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/9aa43de1/attachment.html From chris.kniseley at regions.com Wed Feb 3 14:36:51 2010 From: chris.kniseley at regions.com (chris.kniseley@regions.com) Date: Wed, 3 Feb 2010 13:36:51 -0600 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: <6116b9e21002031034p7133d153q982eebe19a880f4c@mail.gmail.com> References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> <4B69A0D5.5010204@packetmail.net> <6116b9e21002031034p7133d153q982eebe19a880f4c@mail.gmail.com> Message-ID: Can we please commit the mike cox sig to the next rule update.... Thanks, Chris From: Mike Cox To: "evilghost at packetmail.net" Cc: "emerging-sigs at emergingthreats.net" Date: 02/03/2010 12:34 PM Subject: Re: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) Sent by: emerging-sigs-bounces at emergingthreats.net *SET* On Wed, Feb 3, 2010 at 10:14 AM, evilghost at packetmail.net < evilghost at packetmail.net> wrote: *BUMP*. Darren Spruell wrote: > Agreed, seems like they'll be fine. > > DS > > On Tue, Feb 2, 2010 at 11:34 AM, evilghost at packetmail.net > wrote: > >> My vote - Try the Mike Cox signatures, if they false like the current >> Oficla is, then we revert to a PCRE with ordering and write multiple >> signatures to account for the ordering differences that Darren identified. >> >> These would be: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; >> flow:established,to_server; content:"GET "; nocase; depth:4; >> content:!"|0d 0a|Referer\: "; nocase; >> content:!"|0d 0a|Accept-Encoding\: "; nocase; >> uricontent:".php?"; nocase; >> uricontent:"v="; nocase; uricontent:"&id="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; >> sid:2010743; rev:2;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; >> flow:established,to_server; content:"GET "; nocase; depth:4; >> content:!"|0d 0a|Referer\: "; nocase; >> content:!"|0d 0a|Accept-Encoding\: "; nocase; >> uricontent:".php?"; nocase; >> uricontent:"id="; nocase; uricontent:"&v="; nocase; >> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >> classtype:trojan-activity; >> reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; >> sid:2010xxx; rev:1;) >> >> >> >> -evilghost >> >> Matt Jonkman wrote: >> >>> Great discussion! Can I ask for a final sig from the working group here >>> then? :) >>> >>> Which will be the way to go? (sorry, I'm time-bandwidth limited this >>> week so can't really hop in to slug it out for a few days) >>> >>> Matt >>> >>> On 2/1/10 2:49 PM, Mike Cox wrote: >>> >>> >>>> Whoops, I responded to the wrong thread. This should have been for the >>>> Oficla thread. Sorry about that. >>>> >>>> --Mike Cox >>>> >>>> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox >>> > wrote: >>>> >>>> I sent this last week but it never made it thru to the list (maybe >>>> it got spam filtered because of the link?). I am seeing FPs on >>>> strings like this (you will need to base64 decode it) >>>> >>>> Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== >>>> >>>> So I say we try no PCRE (yet) but use '&' on some of the >>>> parameters. We would only need two rules then: >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>> uricontent:"v="; nocase; uricontent:"&id="; nocase; >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>> classtype:trojan-activity; >>>> reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>>> < http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >; >>>> sid:2010743; rev:2;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; >>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>> uricontent:"id="; nocase; uricontent:"&v="; nocase; >>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>> classtype:trojan-activity; >>>> reference:url, www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >>>> < http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c >; >>>> sid:2010xxx; rev:1;) >>>> >>>> -Mike Cox >>>> >>>> >>>> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell >>>> > wrote: >>>> >>>> ZeuS/Zbot config and dropzone URLs are all over the place and don't >>>> follow a standard convention (they're configurable on the >>>> server/builder side). You could argue that they're appropriate for >>>> current events detection at best, probably. >>>> >>>> Examples: >>>> >>>> https://zeustracker.abuse.ch/monitor.php?browse=configs >>>> >>>> DS. >>>> >>>> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 < dn1nj4 at shadowserver.org >>>> > wrote: >>>> > After a thorough review of captures from another 40 Zbot >>>> samples this AM, I >>>> > see two additional, consistent request types: >>>> > >>>> > GET /1cfg.bin HTTP/1.0 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: >>>> > Pragma: no-cache >>>> > >>>> > GET /conf.sts HTTP/1.1 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: >>>> > Pragma: no-cache >>>> > >>>> > And one outlier (only 1 sample that did this)... >>>> > >>>> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >>>> > Accept: */* >>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>> > Host: www.rusibank.com >>>> > Pragma: no-cache >>>> > >>>> > The rule I'm running locally to catch everything I've seen >>>> thus far, minus >>>> > the outlier: >>>> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"ET TROJAN >>>> > Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d >>>> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>> > >>>> pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >>>> > classtype:trojan-activity; >>>> > >>>> reference:url, www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >>>> < http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999 >; >>>> > rev:3;) >>>> > >>>> > Thoughts? >>>> > >>>> > dn1nj4 >>>> > >>>> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >>>> > wrote: >>>> >> I just ran across another Zbot sample with the following header: >>>> >> >>>> >> GET /immagini/eg.bin HTTP/1.1 >>>> >> Accept: */* >>>> >> Connection: Close >>>> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>>> 5.1; SV1) >>>> >> Host: www.ato5enna.it >>>> >> Pragma: no-cache >>>> >> >>>> >> Would it be better to drop the Win32 and add eg.bin to the >>>> pcre or create >>>> >> an entirely different signature? Also, classifcation should be >>>> > classtype. >>>> >> >>>> >> dn1nj4 >>>> >> >>>> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >>>> >>> From: dn1nj4 >>> > >>>> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, >>>> Issue 2 >>>> >>> To: >>> > >>>> >>> Message-ID: >>>> >>> > >>>> >>> Content-Type: text/plain; charset="UTF-8" >>>> >>> >>>> >>> Thanks for the feedback. Drawing on evilghost and Mike's >>>> >> recommendations: >>>> >>> >>>> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"ET TROJAN >>>> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; >>>> content:"|0d >>>> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >>>> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>> >>> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >>>> >>> classification:trojan-activity; reference:url, >>>> >>> >>>> >> >>>> > >>>> www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >>>> < http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/ >; >>>> >>> sid:2010xxx; rev:3;) >>>> > >>>> > _______________________________________________ >>>> > Emerging-sigs mailing list >>>> > Emerging-sigs at emergingthreats.net >>>> >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> > >>>> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>> Mugs and Lanyards >>>> > >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> > >>>> >>>> >>>> >>>> -- >>>> Darren Spruell >>>> phatbuckett at gmail.com >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>> Mugs and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> > > > > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/431b8809/attachment-0001.html From eslerj at gmail.com Wed Feb 3 15:44:40 2010 From: eslerj at gmail.com (Joel Esler) Date: Wed, 3 Feb 2010 15:44:40 -0500 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> Message-ID: <314cf0831002031244l42c7706es8c612f88cf5ad6fb@mail.gmail.com> So, it's not an ASCII value. So the actual match is ON %F0. It's not unicode. Does it specify supporting something binary between pipes? Yes. URI normalization remove non-printable characters? Yes. Depending upon the normalization method. J On Wed, Feb 3, 2010 at 2:35 PM, Mike Cox wrote: > Well, since there is no 0xF0 value in 7 bit ASCII, that is going to be hard > to do. Does the uricontent keyword support specifying binary in between > pipes?. Does the URI normalization remove non-printable characters? > > -Mike Cox > > > On Wed, Feb 3, 2010 at 9:14 AM, Joel Esler wrote: > >> No. Not sure what you are trying to do here, but... No. >> >> If you are trying to translate "%F0". The the ASCII equiv, that's what you >> need to put in the content match, but |F0| is not correctly. >> >> J >> >> >> On Wed, Feb 3, 2010 at 8:41 AM, Mike Cox wrote: >> >>> If you are doing a uricontent match, wouldn't it match against the >>> normalized URI buffer so you would need to look for >>> 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? >>> >>> -Mike Cox >>> >>> >>> On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: >>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >>>> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >>>> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >>>> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/ >>>> ; >>>> sid:xxxxxx; rev:1;) >>>> >>>> >>>> Thanks, >>>> Wolvee.. >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>>> Lanyards >>>> >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>> >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> >> -- >> Joel Esler >> > > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100203/105412cb/attachment.html From emerging at emergingthreats.net Wed Feb 3 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 3 Feb 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100203210014.18B8845052@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Feb 3 16:00:14 2010 [***] [+++] Added rules: [+++] 2010756 - ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution (emerging-virus.rules) 2010757 - ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set (emerging-web_client.rules) 2010758 - ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt (emerging-web_client.rules) 2010759 - ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt (emerging-exploit.rules) 2010760 - ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt (emerging-web_client.rules) 2010761 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt (emerging-web_specific_apps.rules) 2010762 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt (emerging-web_specific_apps.rules) 2010763 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt (emerging-web_specific_apps.rules) [///] Modified active rules: [///] 2001996 - ET USER_AGENTS UCMore Spyware Activity User Agent String (emerging-user_agents.rules) 2009295 - ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) (emerging-user_agents.rules) 2010381 - ET TROJAN Syrutrk/Gibon/Bredolab Checkin (emerging-virus.rules) 2010458 - ET TROJAN Dropper Checkin - Likely Yahlover Worm (emerging-virus.rules) 2010745 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt (emerging-web_specific_apps.rules) 2010746 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt (emerging-web_specific_apps.rules) 2010747 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt (emerging-web_specific_apps.rules) 2010748 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt (emerging-web_specific_apps.rules) 2010749 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt (emerging-web_specific_apps.rules) 2010750 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010751 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010752 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010753 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010754 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010755 - ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt (emerging-dos.rules) [---] Removed rules: [---] 2008337 - ET TROJAN Win32.Small.dvs or Related DDOS Checkin (emerging-virus.rules) 2010671 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (1): #by kevin ross -> Added to emerging-sid-msg.map (21): 2010381 || ET TROJAN Syrutrk/Gibon/Bredolab Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010381 || url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 || url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010458 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010745 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010746 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010747 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010748 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010749 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010750 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010751 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010752 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010753 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010754 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_DB2 || url,doc.emergingthreats.net/2010755 || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2010756 || ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Sasfis || url,doc.emergingthreats.net/2010756 || url,www.fortiguard.com/analysis/sasfisanalysis.html 2010757 || ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010757 2010758 || ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010758 || url,www.securityfocus.com/bid/37832/info 2010759 || ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Xerox || url,doc.emergingthreats.net/2010759 || url,www.securityfocus.com/bid/38010 2010760 || ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gracenote || url,doc.emergingthreats.net/2010760 || url,www.securityfocus.com/bid/37834 2010761 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010761 || url,www.securityfocus.com/bid/37843 2010762 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010762 || url,www.securityfocus.com/bid/37843 2010763 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010763 || url,www.securityfocus.com/bid/37843 -> Added to emerging-sid-msg.map.txt (21): 2010381 || ET TROJAN Syrutrk/Gibon/Bredolab Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010381 || url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 || url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010458 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010745 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010746 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010747 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010748 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010749 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010750 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010751 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010752 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010753 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010754 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_DB2 || url,doc.emergingthreats.net/2010755 || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2010756 || ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Sasfis || url,doc.emergingthreats.net/2010756 || url,www.fortiguard.com/analysis/sasfisanalysis.html 2010757 || ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010757 2010758 || ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010758 || url,www.securityfocus.com/bid/37832/info 2010759 || ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Xerox || url,doc.emergingthreats.net/2010759 || url,www.securityfocus.com/bid/38010 2010760 || ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gracenote || url,doc.emergingthreats.net/2010760 || url,www.securityfocus.com/bid/37834 2010761 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010761 || url,www.securityfocus.com/bid/37843 2010762 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010762 || url,www.securityfocus.com/bid/37843 2010763 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010763 || url,www.securityfocus.com/bid/37843 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (35): 2008337 || ET TROJAN Win32.Small.dvs or Related DDOS Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs || url,doc.emergingthreats.net/2008337 2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,doc.emergingthreats.net/2010458 2010671 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010671 || url,www.securityfocus.com/bid/37802/info 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (35): 2008337 || ET TROJAN Win32.Small.dvs or Related DDOS Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs || url,doc.emergingthreats.net/2008337 2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,doc.emergingthreats.net/2010458 2010671 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010671 || url,www.securityfocus.com/bid/37802/info 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Wed Feb 3 16:27:20 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 16:27:20 -0500 Subject: [Emerging-Sigs] Proposed Signature - Oficla Check-In (DHLSPAM/Malware Campaign) In-Reply-To: References: <0523fea9bef8cd4530c378c1b906d8c0@shadowserver.org> <36702e30c36e38a974abb5d9d7556a48@shadowserver.org> <839aec701002011059m1a93efeal259f981d50358855@mail.gmail.com> <6116b9e21002011147m6db9bd9ftb0da6c18f82ae358@mail.gmail.com> <6116b9e21002011149h59dd7e0jed2a8ec468d245ff@mail.gmail.com> <4B686CFB.6000506@jonkmans.com> <4B687019.4020001@packetmail.net> <839aec701002021243p4a6e7c06h9d8807c07c392c1a@mail.gmail.com> <4B69A0D5.5010204@packetmail.net> <6116b9e21002031034p7133d153q982eebe19a880f4c@mail.gmail.com> Message-ID: <4B69EA38.8010905@jonkmans.com> Going in now, thanks all!!! Matt On 2/3/10 2:36 PM, chris.kniseley at regions.com wrote: > Can we please commit the mike cox sig to the next rule update.... > > Thanks, > Chris > > > From: Mike Cox > To: "evilghost at packetmail.net" > Cc: "emerging-sigs at emergingthreats.net" > > Date: 02/03/2010 12:34 PM > Subject: Re: [Emerging-Sigs] Proposed Signature - Oficla Check-In > (DHLSPAM/Malware Campaign) > Sent by: emerging-sigs-bounces at emergingthreats.net > > > ------------------------------------------------------------------------ > > > > *SET* > > On Wed, Feb 3, 2010 at 10:14 AM, _evilghost at packetmail.net_ > <_evilghost at packetmail.net_ > > wrote: > *BUMP*. > > Darren Spruell wrote: >> Agreed, seems like they'll be fine. >> >> DS >> >> On Tue, Feb 2, 2010 at 11:34 AM, _evilghost at packetmail.net_ > >> <_evilghost at packetmail.net_ > wrote: >> >>> My vote - Try the Mike Cox signatures, if they false like the current >>> Oficla is, then we revert to a PCRE with ordering and write multiple >>> signatures to account for the ordering differences that Darren > identified. >>> >>> These would be: >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; >>> flow:established,to_server; content:"GET "; nocase; depth:4; >>> content:!"|0d 0a|Referer\: "; nocase; >>> content:!"|0d 0a|Accept-Encoding\: "; nocase; >>> uricontent:".php?"; nocase; >>> uricontent:"v="; nocase; uricontent:"&id="; nocase; >>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>> classtype:trojan-activity; >>> > reference:url,_www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_ > ; >>> sid:2010743; rev:2;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Oficla Checkin"; >>> flow:established,to_server; content:"GET "; nocase; depth:4; >>> content:!"|0d 0a|Referer\: "; nocase; >>> content:!"|0d 0a|Accept-Encoding\: "; nocase; >>> uricontent:".php?"; nocase; >>> uricontent:"id="; nocase; uricontent:"&v="; nocase; >>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>> classtype:trojan-activity; >>> > reference:url,_www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_ > ; >>> sid:2010xxx; rev:1;) >>> >>> >>> >>> -evilghost >>> >>> Matt Jonkman wrote: >>> >>>> Great discussion! Can I ask for a final sig from the working group here >>>> then? :) >>>> >>>> Which will be the way to go? (sorry, I'm time-bandwidth limited this >>>> week so can't really hop in to slug it out for a few days) >>>> >>>> Matt >>>> >>>> On 2/1/10 2:49 PM, Mike Cox wrote: >>>> >>>> >>>>> Whoops, I responded to the wrong thread. This should have been for the >>>>> Oficla thread. Sorry about that. >>>>> >>>>> --Mike Cox >>>>> >>>>> On Mon, Feb 1, 2010 at 1:47 PM, Mike Cox <_mike.cox52 at gmail.com_ > >>>>> >> wrote: >>>>> >>>>> I sent this last week but it never made it thru to the list (maybe >>>>> it got spam filtered because of the link?). I am seeing FPs on >>>>> strings like this (you will need to base64 decode it) >>>>> >>>>> > Zm9vLmNvbS9jay5waHA/b2FwYXJhbXM9Ml9fYmFubmVyaWQ9MTA0Nzc3X196b25laWQ9NTAyX19VVExDQT0xX19jYj1hNjIzOWZlZDVkX19iaz1reDB4eXhfX2lkPThsY2RzMXlvNTQ0Y3c4czAwa3M0MGNra29fX3B0bD0zNzRfX3B0bT0zNzRfX3B0bz0lM0QlM0RfX29hZGVzdD0kLGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vLGh0dHA6Ly92YmFyLmNvbS9jZ2kvdnRjLmNnaT9tPTMmdj1jJmM9Mzg5MDYxOCZ6PTEyNj04bGNkczlhdDQ0NXR5OHMwMGtzNDBja2tvX19wdGw9Mzk0X19wdG09Mzk0X19wdG89JTNEJTNEX19vYWRlc3Q9JCxodHRwOi8vd3d3LmV4YW1wbGUuY29tLyxodHRwOi8vdG1udC5jb20vY2dpL3Z0Yy5jZ2klMw== >>>>> >>>>> So I say we try no PCRE (yet) but use '&' on some of the >>>>> parameters. We would only need two rules then: >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN >>>>> Oficla Checkin"; flow:established,to_server; content:"GET "; > nocase; >>>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>>> uricontent:"v="; nocase; uricontent:"&id="; nocase; >>>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>>> classtype:trojan-activity; >>>>> > reference:url,_www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_ > >>>>> > <_http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_>; >>>>> sid:2010743; rev:2;) >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > TROJAN >>>>> Oficla Checkin"; flow:established,to_server; content:"GET "; > nocase; >>>>> depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d >>>>> 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; >>>>> uricontent:"id="; nocase; uricontent:"&v="; nocase; >>>>> uricontent:"&b="; nocase; uricontent:"&tm="; nocase; >>>>> classtype:trojan-activity; >>>>> > reference:url,_www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_ > >>>>> > <_http://www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c_>; >>>>> sid:2010xxx; rev:1;) >>>>> >>>>> -Mike Cox >>>>> >>>>> >>>>> On Mon, Feb 1, 2010 at 12:59 PM, Darren Spruell >>>>> <_phatbuckett at gmail.com_ > >> wrote: >>>>> >>>>> ZeuS/Zbot config and dropzone URLs are all over the place > and don't >>>>> follow a standard convention (they're configurable on the >>>>> server/builder side). You could argue that they're > appropriate for >>>>> current events detection at best, probably. >>>>> >>>>> Examples: >>>>> >>>>> _https://zeustracker.abuse.ch/monitor.php?browse=configs_ >>>>> >>>>> DS. >>>>> >>>>> On Mon, Feb 1, 2010 at 11:30 AM, dn1nj4 > <_dn1nj4 at shadowserver.org_ >>>>> >> wrote: >>>>> > After a thorough review of captures from another 40 Zbot >>>>> samples this AM, I >>>>> > see two additional, consistent request types: >>>>> > >>>>> > GET /1cfg.bin HTTP/1.0 >>>>> > Accept: */* >>>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>>> > Host: >>>>> > Pragma: no-cache >>>>> > >>>>> > GET /conf.sts HTTP/1.1 >>>>> > Accept: */* >>>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>>> > Host: >>>>> > Pragma: no-cache >>>>> > >>>>> > And one outlier (only 1 sample that did this)... >>>>> > >>>>> > GET /jfdgdfvvvvvvsdgf.bin HTTP/1.1 >>>>> > Accept: */* >>>>> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) >>>>> > Host: _www.rusibank.com_ > <_http://www.rusibank.com_ > >>>>> > Pragma: no-cache >>>>> > >>>>> > The rule I'm running locally to catch everything I've seen >>>>> thus far, minus >>>>> > the outlier: >>>>> > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>>> (msg:"ET TROJAN >>>>> > Zbot/Zeus Download Request"; content:"GET "; depth:4; > content:"|0d >>>>> > 0a|Accept|3a| */*|0d 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>>> > >>>>> > pcre:"/\/(conf\.sts|eg\.bin|rec\.php|ip\.php|(\d)?c(on)?f(i)?g(\d)?\.bin)/"; >>>>> > classtype:trojan-activity; >>>>> > >>>>> > reference:url,_www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999_ > >>>>> > <_http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;sid:2010999_>; >>>>> > rev:3;) >>>>> > >>>>> > Thoughts? >>>>> > >>>>> > dn1nj4 >>>>> > >>>>> > On Mon, 01 Feb 2010 09:18:08 -0800, dn1nj4 >>>>> <_dn1nj4 at shadowserver.org_ > >> wrote: >>>>> >> I just ran across another Zbot sample with the following > header: >>>>> >> >>>>> >> GET /immagini/eg.bin HTTP/1.1 >>>>> >> Accept: */* >>>>> >> Connection: Close >>>>> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>>>> 5.1; SV1) >>>>> >> Host: _www.ato5enna.it_ > <_http://www.ato5enna.it_ > >>>>> >> Pragma: no-cache >>>>> >> >>>>> >> Would it be better to drop the Win32 and add eg.bin to the >>>>> pcre or create >>>>> >> an entirely different signature? Also, classifcation > should be >>>>> > classtype. >>>>> >> >>>>> >> dn1nj4 >>>>> >> >>>>> >>> Date: Mon, 01 Feb 2010 06:47:43 -0800 >>>>> >>> From: dn1nj4 <_dn1nj4 at shadowserver.org_ > >>>>> >> >>>>> >>> Subject: Re: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, >>>>> Issue 2 >>>>> >>> To: <_emerging-sigs at emergingthreats.net_ > >>>>> >> >>>>> >>> Message-ID: >>>>> <_d674e40a99ce7bad9e0286f5645c54c6 at shadowserver.org_ > >>>>> >> >>>>> >>> Content-Type: text/plain; charset="UTF-8" >>>>> >>> >>>>> >>> Thanks for the feedback. Drawing on evilghost and Mike's >>>>> >> recommendations: >>>>> >>> >>>>> >>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS >>>>> (msg:"ET TROJAN >>>>> >>> Zbot/Zeus Download Request"; content:"GET "; depth:4; >>>>> content:"|0d >>>>> >>> 0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d >>>>> >>> 0a|"; content:!"|0d 0a|Referrer|3a|"; >>>>> >>> > pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; >>>>> >>> classification:trojan-activity; reference:url, >>>>> >>> >>>>> >> >>>>> > >>>>> > _www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/_ > >>>>> > <_http://www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/_>; >>>>> >>> sid:2010xxx; rev:3;) >>>>> > >>>>> > _______________________________________________ >>>>> > Emerging-sigs mailing list >>>>> > _Emerging-sigs at emergingthreats.net_ > >>>>> > >>>>> > > _http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs_ >>>>> > >>>>> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>>> Mugs and Lanyards >>>>> > >>>>> > _http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html_ >>>>> > >>>>> >>>>> >>>>> >>>>> -- >>>>> Darren Spruell >>>>> _phatbuckett at gmail.com_ > > >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> _Emerging-sigs at emergingthreats.net_ > >>>>> > >>>>> > _http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs_ >>>>> >>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee >>>>> Mugs and Lanyards >>>>> > _http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html_ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> _Emerging-sigs at emergingthreats.net_ > >>>>> _http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs_ >>>>> >>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > and Lanyards >>>>> > _http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html_ >>>>> >>>>> >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> _Emerging-sigs at emergingthreats.net_ > >>> _http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs_ >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards >>> > _http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html_ >>> >>> >> >> >> >> > > _______________________________________________ > Emerging-sigs mailing list_ > __Emerging-sigs at emergingthreats.net_ > _ > __http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs_ > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards_ > __http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html_ > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 3 16:35:25 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 16:35:25 -0500 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> Message-ID: <4B69EC1D.5070205@jonkmans.com> I agree. I don't think we have a good set of classifications for that in the current config. It'd be nice to have more detail on malware. Maybe we should propose a few new categories? Possibly add: infected-host malware-download exploit-download Matt On 2/3/10 1:16 PM, Chris Green wrote: > I really like both and wish I had a good indicator in the rules on > which is which. > > 1) The attack - I like seeing the fake requests though they aren't > actionable by themselves. If I notice they are all isolated to one > network, plop in the blacklist unless a user complains. > > 2) The Executable download - Same but I can generally send a warning > to affected users > > 3) An active infection - This system is checking in with something and > we need to run an incident response process for it. > > On Tue, Feb 2, 2010 at 12:17 PM, Darren Spruell wrote: > >> When I put 2010347 together I intentionally left 'hitin.php' out of >> the picture because the fakeAVs have been a bit of a moving target and >> I didn't want to risk FNs should the page names change or become >> variable (as we've seen happen with a few HTTP C&C cases). If this >> were to happen we'd be out detection if not flagging the >> parameter-laden requests sans page name. >> >> That said, it's been my assumption that while the full scope of >> requests handled by /hitin.php would not be picked up by 2010347 that >> at some point in the infection chain every client will make that >> request at least once, giving a reliable detection. My view has been >> that it's not critical to pick up every request but rather flag on at >> least a single reliable indicator per compromise. >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 3 16:58:48 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 16:58:48 -0500 Subject: [Emerging-Sigs] Updated Sig 2001669, was Strange GET - Requests In-Reply-To: <4B6945CC.2030305@mare-system.de> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> <1265142128.53439.56.camel@localhost> <9255886c1002021316j534457dbk9a8656e6aaed8d4f@mail.gmail.com> <4B6945CC.2030305@mare-system.de> Message-ID: <4B69F198.1070900@jonkmans.com> Unfortunately I think that'll cause us more issues. The average site uses home_net for http_servers, and will generally run all of the web_servers rules. So each site coming online will get massive false positives for all of their proxies. If I recall right we put it in policy to make it clear that it wasn't going to apply everywhere, and it was optional (not related to an exploit or vuln). As for removing the http, that scares me. Also makes the match string shorter which will be a performance negative. I'd rather us keep the rule in policy, and split out to several to get other types of protocols. If it's important to folks... Matt On 2/3/10 4:45 AM, mex wrote: > > yeah, right; i expected that in web_server.rules, not > in policy; i usually don't load policy.rules. > > due to your and franks and other's suggestions i propose the following > sig-update to cover this issue (and maybe place them in emerging-web_servers.rules??) > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET "; depth:4; content:"\://"; nocase; within:10; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001669; rev:8;) > > > Rodrigo Montoro(Sp0oKeR) wrote: >> We have this rule already for part of http request at least =) >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 3 17:14:30 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 03 Feb 2010 17:14:30 -0500 Subject: [Emerging-Sigs] manda.php post/get sig In-Reply-To: <839aec701002021618q6cf7e73bt169901c7aa42da2a@mail.gmail.com> References: <716533b50806240920k1ca83c5fn69f456eef4f5cc2e@mail.gmail.com> <48613632.5050806@jonkmans.com> <839aec701002021618q6cf7e73bt169901c7aa42da2a@mail.gmail.com> Message-ID: <4B69F546.5090607@jonkmans.com> Wow, you really drug out an email from the past! :) Good updates, thanks Darren. Posting them now. Matt On 2/2/10 7:18 PM, Darren Spruell wrote: > Reaching back here for some housework - > > These seem to have ended up in 2008324 and 2008325, labeled as > Socks/Sality. The malware in question is called > Zalupko/Koceph/Mandaph. It looks like /manda.php has been in use at > least through late 2009 so it still seems like a useful indicator even > if not always used. As there are still some instances (increasingly > few) of the malware in ThreatExpert thorugh late 2009 I figured it was > worth keeping a lazy eye on. > > The most common URI pattern we had in logs was > '/manda.php?id=[foo]&v=[bar]' so here's a new rule for review and > updates to the two others: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; > uricontent:"/manda.php?"; nocase; uricontent:"ns="; nocase; > uricontent:"&id="; nocase; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; > reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; > reference:url,doc.emergingthreats.net/2008324; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks; > sid:2008324; rev:4;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zalupko/Koceg/Mandaph HTTP Checkin"; flow:established,to_server; > uricontent:".php?"; uricontent:"&v="; uricontent:"&s="; > uricontent:"&cip="; uricontent:"&lid="; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; > reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; > reference:url,doc.emergingthreats.net/2008325; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks; > sid:2008325; rev:4;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; > uricontent:"/manda.php?"; uricontent:"id="; nocase; uricontent:"&v="; > nocase; pcre:"/\/manda\.php\?id=(-)?\d{10}&v=[\w\.]+/U"; > classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; > reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; > sid:9999999; rev:1;) > > DS > > On Tue, Jun 24, 2008 at 11:00 AM, Matt Jonkman wrote: >> Posting now, thanks Marcus! >> >> May end up merging one with an existing, will let you know. >> >> Matt >> >> Marcus wrote: >>> re: 7596ec9308082edec613ac8d78ee4fe6 >>> >>> in addition to sid 2008290 >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan - >>> manda.php POST"; flow:established,to_server; content:"POST"; depth:4; >>> content:"manda.php"; content:"ns="; content:"&id="; nocase; sid:99999; >>> rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - >>> manda.php GET"; flow:established,to_server; uricontent:"manda.php?"; >>> uricontent:"&v="; uricontent:"&s="; uricontent:"&cip="; >>> uricontent:"&lid="; content:"|0d 0a|User-Agent\: _|0d 0a|"; >>> classtype:trojan-activity; sid:99998; rev:1;) >>> >>> >>> Cheers, >>> Marc >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Wed Feb 3 17:16:24 2010 From: david.glosser at gmail.com (David Glosser) Date: Wed, 3 Feb 2010 17:16:24 -0500 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: <4B69EC1D.5070205@jonkmans.com> References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> <4B69EC1D.5070205@jonkmans.com> Message-ID: That sounds great... Big difference between an download attempt (which local AV may hopefully block) and an already infected host... On Wed, Feb 3, 2010 at 4:35 PM, Matt Jonkman wrote: > I agree. I don't think we have a good set of classifications for that in > the current config. It'd be nice to have more detail on malware. > > Maybe we should propose a few new categories? > > Possibly add: > infected-host > malware-download > exploit-download > > > Matt > > On 2/3/10 1:16 PM, Chris Green wrote: >> I really like both and wish I had a good indicator in the rules on >> which is which. >> >> 1) The attack - I like seeing the fake requests though they aren't >> actionable by themselves. ?If I notice they are all isolated to one >> network, plop in the blacklist unless a user complains. >> >> 2) The Executable download - Same but I can generally send a warning >> to affected users >> >> 3) An active infection - This system is checking in with something and >> we need to run an incident response process for it. >> >> On Tue, Feb 2, 2010 at 12:17 PM, Darren Spruell wrote: >> >>> When I put 2010347 together I intentionally left 'hitin.php' out of >>> the picture because the fakeAVs have been a bit of a moving target and >>> I didn't want to risk FNs should the page names change or become >>> variable (as we've seen happen with a few HTTP C&C cases). If this >>> were to happen we'd be out detection if not flagging the >>> parameter-laden requests sans page name. >>> >>> That said, it's been my assumption that while the full scope of >>> requests handled by /hitin.php would not be picked up by 2010347 that >>> at some point in the infection chain every client will make that >>> request at least once, giving a reliable detection. My view has been >>> that it's not critical to pick up every request but rather flag on at >>> least a single reliable indicator per compromise. >>> >>> -- >>> Darren Spruell >>> phatbuckett at gmail.com >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From dn1nj4 at shadowserver.org Wed Feb 3 17:19:06 2010 From: dn1nj4 at shadowserver.org (dn1nj4) Date: Wed, 03 Feb 2010 14:19:06 -0800 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 27, Issue 13 In-Reply-To: References: Message-ID: <543b6a42a4921b33c37eb04e9de36f32@shadowserver.org> Unfortunately I am not the mail-server admin and have no insight into the original email beyond what is captured by the bounce message. Looking at the returned portion of the email, yes it was definitely spammy. Beyond that, thoughts on the change to the sig? dn1nj4 > Date: Tue, 2 Feb 2010 19:35:27 -0600 > From: "evilghost at packetmail.net" > Subject: Re: [Emerging-Sigs] Proposed Mod: 2008411 "ET TROJAN LDPinch > SMTP Password Report with mail client The Bat!" > Cc: "emerging-sigs at emergingthreats.net" > > Message-ID: <4B68D2DF.5000906 at packetmail.net> > Content-Type: text/plain; charset="us-ascii" > > I saw this once as well and it was an Exchange SMTPd in a mail-loop. > I'm curious, are you accepting mail for delivery and then generating > bounce messages or are you SMTP 551 invalid recipients during the SMTP > session? > > My question, why the bounce messages to begin with? I usually see "The > Bat!" associated with programmatic delivery, often spam. > > Really curious not from an IDS perspective but more from the aspect of a > mail-server admin. > > -evilghost > > dn1nj4 wrote: >> I am getting a bunch of hits on this sig that appear to be the result of >> undeliverable/bounce messages. The attachment in question is the text of >> the bounced messsage. Reccomend adding a filter for "|0d 0a|Subject: >> Undeliverable:". >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP >> Password Report with mail client The Bat!"; flow:established,to_server; >> content:"X-Mailer|3a| The Bat!"; content:"|0d 0a|Content-Disposition|3a| >> attachment\;"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; >> classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008411; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; >> sid:2008411; rev:4;) >> >> Thoughts? >> >> dn1nj4 From phatbuckett at gmail.com Wed Feb 3 18:38:13 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 3 Feb 2010 16:38:13 -0700 Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes In-Reply-To: <20100203210014.18B8845052@goliath.jonkmans.com> References: <20100203210014.18B8845052@goliath.jonkmans.com> Message-ID: <839aec701002031538g12349bffs167af7d1ff1875ec@mail.gmail.com> Sorry, very trivial - mod to drop "Bredolab" out of this sig message. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010381; rev:5;) DS On Wed, Feb 3, 2010 at 2:00 PM, wrote: > > [***] Results from Oinkmaster started Wed Feb ?3 16:00:14 2010 [***] > > ?2010381 - ET TROJAN Syrutrk/Gibon/Bredolab Checkin (emerging-virus.rules) -- Darren Spruell phatbuckett at gmail.com From wkitty42 at windstream.net Wed Feb 3 21:47:33 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Wed, 03 Feb 2010 21:47:33 -0500 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> Message-ID: <4B6A3545.5080406@windstream.net> On 2/3/2010 14:35, Mike Cox wrote: > Well, since there is no 0xF0 value in 7 bit ASCII, that is going to be > hard to do. Does the uricontent keyword support specifying binary in > between pipes?. Does the URI normalization remove non-printable characters? why does it have to be 7bit ASCII? From wkitty42 at windstream.net Wed Feb 3 21:48:54 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Wed, 03 Feb 2010 21:48:54 -0500 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <314cf0831002031244l42c7706es8c612f88cf5ad6fb@mail.gmail.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <314cf0831002030714i7e4d2742see928b103ef240ae@mail.gmail.com> <6116b9e21002031135r34822804pe9192872fd43a124@mail.gmail.com> <314cf0831002031244l42c7706es8c612f88cf5ad6fb@mail.gmail.com> Message-ID: <4B6A3596.2000401@windstream.net> On 2/3/2010 15:44, Joel Esler wrote: > So, it's not an ASCII value. So the actual match is ON %F0. It's not > unicode. > > Does it specify supporting something binary between pipes? Yes. > URI normalization remove non-printable characters? Yes. Depending upon > the normalization method. is the URI normalization not 8bit capable? > J > > On Wed, Feb 3, 2010 at 2:35 PM, Mike Cox > wrote: > > Well, since there is no 0xF0 value in 7 bit ASCII, that is going to > be hard to do. Does the uricontent keyword support specifying > binary in between pipes?. Does the URI normalization remove > non-printable characters? From wolvee.x at gmail.com Wed Feb 3 22:52:52 2010 From: wolvee.x at gmail.com (Wolvee) Date: Thu, 04 Feb 2010 09:22:52 +0530 Subject: [Emerging-Sigs] IE6 sig In-Reply-To: <4B6995CD.806@jonkmans.com> References: <4B697203.6020101@googlemail.com> <6116b9e21002030541s36d97f3cy41418da741448cd8@mail.gmail.com> <9255886c1002030553s6502f980w29c4dc7a411b3253@mail.gmail.com> <4B6995CD.806@jonkmans.com> Message-ID: <4B6A4494.20805@googlemail.com> Ooops.. My bad.. Matt Jonkman wrote: > Ya, this is a local thing, we shouldn't ever see it cross the network... > > Matt > > On 2/3/10 8:53 AM, Rodrigo Montoro(Sp0oKeR) wrote: > >> Looking to the post ( >> www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6 ) 2 >> situations that I figured out >> >> 1-) at URI it'll not generate network traffic since it seems to be >> something local . >> >> 2-) maybe IF some embeded html with this code could cause DoS . I dont >> have any IE6 for test. >> >> Regards, >> >> >> On Wed, Feb 3, 2010 at 5:30 AM, rmkml wrote: >> >>> Hi Mike and Wolvee, >>> thx for this sigs, >>> but are you sure uricontent and flow_toserver are good for detectig IE DoS ? >>> Regards >>> Rmkml >>> >>> >>> On Wed, 3 Feb 2010, Mike Cox wrote: >>> >>> >>>> If you are doing a uricontent match, wouldn't it match against the >>>> normalized URI buffer so you would need to look for >>>> 'uricontent:"ms-its:|F0|:";' instead of 'uricontent:"ms-its:%F0:";'? >>>> >>>> -Mike Cox >>>> >>>> On Wed, Feb 3, 2010 at 6:54 AM, Wolvee wrote: >>>> >>>> >>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE6 >>>>> browser crash Attempt(ms-its:%F0:)"; flow:to_server,established; >>>>> uricontent:"ms-its:%F0:"; nocase; classtype:web-application-attack; >>>>> reference:url,www.krebsonsecurity.com/2010/02/another-way-to-ditch-ie6/; >>>>> sid:xxxxxx; rev:1;) >>>>> >>>>> >>>>> Thanks, >>>>> Wolvee.. >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>>>> Lanyards >>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>> >>>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> >> >> > > From mail at mare-system.de Thu Feb 4 03:21:18 2010 From: mail at mare-system.de (mex) Date: Thu, 04 Feb 2010 09:21:18 +0100 Subject: [Emerging-Sigs] Strange GET - Requests In-Reply-To: <4B682724.4090605@jonkmans.com> References: <4B680F61.6070703@mare-system.de> <4B682724.4090605@jonkmans.com> Message-ID: <4B6A837E.8060904@mare-system.de> looks like the UA is some kind of Bot (open-proxy-scanner?) i have connections from the same IP as mentioned on the links below, ua seems to be faked does this one needs to get sigg'd? http://stateofsecurity.com/?p=526 http://www.botsvsbrowsers.com/details/214715/index.html http://www.botsvsbrowsers.com/ip/92.240.68.153/index.html http://ulissesaraujo.wordpress.com/2009/01/23/http-attacks/ > > That useragent on the sample is interesting. You know what it is? > > Matt > From kevross33 at googlemail.com Thu Feb 4 07:29:01 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 4 Feb 2010 12:29:01 +0000 Subject: [Emerging-Sigs] 4 new Sigs (including one for IE Dynamic Object Tag Information Disclosure 2010-0255) Message-ID: See inline comments. Also can someone please read www.coresecurity.com/content/internet-explorer-dynamic-object-tag to check I have written the Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt sig properly? Thanks, Kev # New sigs alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"document.createElement"; nocase; content:"file|3A|//"; nocase; within:100; content:"text/html"; nocase; distance:0; content:"document.body.appendChild"; nocase; classtype:attempted-recon; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:cve,2010-0255; sid:1320001; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/smhui/getuiinfo"; nocase; uricontent:"JS"; nocase; uricontent:"servercert="; nocase; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url, h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; sid:1320002; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX WScript.Shell Function Call Attempt - Likely Hostile"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WScript.Shell"; nocase; distance:0; classtype:attempted-user; reference:url,msdn.microsoft.com/en-us/library/aew9yb99(VS.85).aspx; sid:1320003; rev:1;) # Also you missed this sig for the initial call home of the sasfis botnet (I submitted this one and also one for the report back after executing the command instruction. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet C&C Initial Checkin"; flow:established,to_server; uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; classtype:trojan-activity; reference:url, www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; rev:1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/7ee22153/attachment.html From spiffypickle at gmail.com Thu Feb 4 07:39:50 2010 From: spiffypickle at gmail.com (spiffy pickle) Date: Thu, 4 Feb 2010 07:39:50 -0500 Subject: [Emerging-Sigs] Rule question Message-ID: Hi everyone, I have a question regarding pcre and the depth, offset, distance, within qualifiers. I can't seem to find any documentation pointing one way or the other. Can you use those qualifiers with pcre? Does the pcre engine care about the where the content match pointer is pointing? Much thanks, SP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/e45b5fdb/attachment.html From kevross33 at googlemail.com Thu Feb 4 08:48:27 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 4 Feb 2010 13:48:27 +0000 Subject: [Emerging-Sigs] SIG: Updated version IE Dynamic Object Tag Information Disclosure CVE-2010-0255 Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"file|3A|// 127.0.0.1"; nocase; content:"text/html"; nocase; within:100; classtype:attempted-user; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; reference:cve,2010-0255; sid:1320001; rev:1;) ok I have simplified the rule to the loopback access and the text/html rendering. I have changed the classtype to attempted-user and added a reference. I think this should be better. If you want I have also updated the sig below but I am unsure how exploit specific that is, the top may be more reliable. Regards, Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"document.createElement"; nocase; content:"file|3A|//127.0.0.1"; nocase; within:100; content:"text/html"; nocase; distance:0; content:"document.body.appendChild"; nocase;classtype:attempted-user; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; reference:cve,2010-0255; sid:1320001; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/7eb95911/attachment.html From kevross33 at googlemail.com Thu Feb 4 09:43:00 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 4 Feb 2010 14:43:00 +0000 Subject: [Emerging-Sigs] another sig IE srcElement Remote Code Execution CVE-2010-0249 Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"|3B 22 22|"; within:5; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:cve,2010-0249; sid:1320005; rev:1;) These are the essential parts of the vulnerability. Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/c20ff159/attachment.html From kevross33 at googlemail.com Thu Feb 4 09:55:39 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 4 Feb 2010 14:55:39 +0000 Subject: [Emerging-Sigs] Sig error fix and all sigs in one email (disregard other emails) Message-ID: On the Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt sig I had a 3B (;) instead of a 3D (=). I fixed that. I have reposted all sigs here so they are under 1 email so disregard the scattered sigs emails. Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"file|3A|// 127.0.0.1/"; nocase; content:"text/html"; nocase; within:100; classtype:attempted-user; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; reference:cve,2010-0255; sid:1320001; rev:1;) OR THIS SIG alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"document.createElement"; nocase; content:"file|3A|//127.0.0.1"; nocase; within:100; content:"text/html"; nocase; distance:0; content:"document.body.appendChild"; nocase;classtype:attempted-user; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; reference:cve,2010-0255; sid:1320001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"|3D 22 22|"; within:5; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:cve,2010-0249; sid:1320005; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/smhui/getuiinfo"; nocase; uricontent:"JS"; nocase; uricontent:"servercert="; nocase; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url, h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; sid:1320002; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX WScript.Shell Function Call Attempt - Likely Hostile"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WScript.Shell"; nocase; distance:0; classtype:attempted-user; reference:url,msdn.microsoft.com/en-us/library/aew9yb99(VS.85).aspx; sid:1320003; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet C&C Initial Checkin"; flow:established,to_server; uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; classtype:trojan-activity; reference:url, www.fortiguard.com/analysis/sasfisanalysis.html; sid:1330001; rev:1) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/c9fac6d8/attachment-0001.html From mm at mare-system.de Thu Feb 4 10:41:55 2010 From: mm at mare-system.de (Markus Manzke) Date: Thu, 04 Feb 2010 16:41:55 +0100 Subject: [Emerging-Sigs] 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners Message-ID: <4B6AEAC3.4010809@mare-system.de> the first two might be deactivated by default, like the other get/post/head-proxy-rules in emergung-policy # HTTP-TRACE Request alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:16000057; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB_SERVER POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:16000058; rev:8;) # Proxy-Scanner - 1 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (proxyjudge) "; flow:established,to_server; content:"GET http\://proxyjudge1.proxyfire.net/fastenv"; depth:46; classtype:bad-unknown; sid:11220061; rev:1;) # Proxy-Scanner - 2 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"|0d 0a|User-Agent|3a| webcollage/1.135a"; nocase; classtype:bad-unknown; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; sid:11220062; rev:1;) From jonkman at jonkmans.com Thu Feb 4 10:50:38 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 10:50:38 -0500 Subject: [Emerging-Sigs] Inbound Bad Email Attachments In-Reply-To: References: Message-ID: <4B6AECCE.3080306@jonkmans.com> Hey Jason! The modifications to the sig below are good. (missed escaping a quote in the pcre, but that's minor) Normally we'd want to avoid making a content match smaller, but in this case it's pretty specific so I think it'll be fine. But overall striving to get more into fewer sigs isn't good for performance. I think Joel can probably comment more there, but don't think consolidation for performance. Five simple rules will nearly always be more efficient that 1 complex rule. I'll get the below in! Thanks Matt On 2/2/10 12:11 PM, Weir, Jason wrote: > Couple updates to the DHL sig (2010148) and 2 new ones I started seeing > this morning > > DHL_document_Nr17124.zip > DHL_Label_97c78.zip > Invitation Card.zip > Shipping documents.zip > > Would the sig below work for the DHL attachments - 2010148 - working on > my sig skills, basically changed the pcre from > > pcre:"/filename\s*=\s*"DHL_(package_label_|print_label_).....\.zip/m"; > > to > > pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ > )(.....|.......)\.zip/m"; > > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS > DHL Spam Inbound"; flow:established,to_server; > content:"Content-Disposition|3A| attachment\;"; nocase; > content:"filename"; within:100; content:"DHL_"; within:50; > pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ > )(.....|.......)\.zip/m"; classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2010148; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EV > ENTS/CURRENT_DHL; sid:2010148; rev:5;) > > Two new ones - not sure how to incorporate both of those in 1 sig and > still use content match.. School me.. > > Jason > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Feb 4 10:51:36 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 10:51:36 -0500 Subject: [Emerging-Sigs] Inbound Bad Email Attachments In-Reply-To: References: Message-ID: <4B6AED08.3000003@jonkmans.com> Oh, the original sig didn't have the quote escaped, my bad. Wasn't you! :) Matt On 2/2/10 12:11 PM, Weir, Jason wrote: > Couple updates to the DHL sig (2010148) and 2 new ones I started seeing > this morning > > DHL_document_Nr17124.zip > DHL_Label_97c78.zip > Invitation Card.zip > Shipping documents.zip > > Would the sig below work for the DHL attachments - 2010148 - working on > my sig skills, basically changed the pcre from > > pcre:"/filename\s*=\s*"DHL_(package_label_|print_label_).....\.zip/m"; > > to > > pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ > )(.....|.......)\.zip/m"; > > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS > DHL Spam Inbound"; flow:established,to_server; > content:"Content-Disposition|3A| attachment\;"; nocase; > content:"filename"; within:100; content:"DHL_"; within:50; > pcre:"/filename\s*=\s*"DHL_(Label_|document_|package_label_|print_label_ > )(.....|.......)\.zip/m"; classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2010148; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EV > ENTS/CURRENT_DHL; sid:2010148; rev:5;) > > Two new ones - not sure how to incorporate both of those in 1 sig and > still use content match.. School me.. > > Jason > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Feb 4 10:55:50 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 10:55:50 -0500 Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes In-Reply-To: <839aec701002031538g12349bffs167af7d1ff1875ec@mail.gmail.com> References: <20100203210014.18B8845052@goliath.jonkmans.com> <839aec701002031538g12349bffs167af7d1ff1875ec@mail.gmail.com> Message-ID: <4B6AEE06.8030804@jonkmans.com> I was leaving that in there just for the link to the previous research. I have samples in the sandnet that are reported by AV to be all 3 for the same binary. If it's not a big thing I think keeping bredolab in there will help folks track things down. I'm flexible though if you think it'll cause more confusion than help. Matt On 2/3/10 6:38 PM, Darren Spruell wrote: > Sorry, very trivial - mod to drop "Bredolab" out of this sig message. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Syrutrk/Gibon Checkin"; flow:to_server,established; content:"GET "; > depth:4; uricontent:"?ddos=x"; nocase; > pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; > reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; > reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; > reference:url,doc.emergingthreats.net/2010381; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; > sid:2010381; rev:5;) > > DS > > > On Wed, Feb 3, 2010 at 2:00 PM, wrote: >> >> [***] Results from Oinkmaster started Wed Feb 3 16:00:14 2010 [***] >> >> 2010381 - ET TROJAN Syrutrk/Gibon/Bredolab Checkin (emerging-virus.rules) > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Feb 4 11:14:59 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 11:14:59 -0500 Subject: [Emerging-Sigs] Proposed Sec Tool download rules Message-ID: <4B6AF283.8000706@jonkmans.com> Jared Braverman od Secnap security sent in a large list of download rules for common and hostile security tools. I wanted to run them by the group for review. I'll be getting them tuned up and into the policy set, but disabled by default. Comments or tweaks please! #by Jared Braverman, Secnap Network Security #NESSUS alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) #NMAP alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Nmap"; flow:established,to_server; content:"|0d 0a|Host\: nmap.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) #WIRESHARK alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Wireshark"; flow:established,to_server; content:"|0d 0a|Host\: wireshark.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # RAPID 7 NEXPOSE alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Rapid 7 Nexpose"; flow:established,to_server; content:"|0d 0a|Host\: rapid7.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # KISMET alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Kismet"; flow:established,to_server; content:"|0d 0a|Host\: kismetwireless.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # JOHN THE RIPPER alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD John The Ripper"; flow:established,to_server; content:"|0d 0a|Host\: openwall.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # ETTERCAP alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Ettercap"; flow:established,to_server; content:"|0d 0a|Host\: ettercap.sourceforge.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # NIKTO alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Nikto"; flow:established,to_server; content:"|0d 0a|Host\: cirt.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # THC AMAP / HYDRA ETC. alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD THC Amap / Hydra etc"; flow:established,to_server; content:"|0d 0a|Host\: freeworld.thc.org|0d 0a|"; nocase; classtype:security-tool-download;reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # PAROS PROXY alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Paros Proxy"; flow:established,to_server; content:"|0d 0a|Host\: parosproxy.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # DSNIFF / FRAGROUTER alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; flow:established,to_server; content:"|0d 0a|Host\: monkey.org/~dugsong|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # NETSTUMBLER alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Netstumbler"; flow:established,to_server; content:"|0d 0a|Host\: stumbler.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # AIRCRACK alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Aircrack"; flow:established,to_server; content:"|0d 0a|Host\: aircrack-ng.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # SCAPY alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Scapy"; flow:established,to_server; content:"|0d 0a|Host\: secdev.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # YERSINIA alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Yersinia"; flow:established,to_server; content:"|0d 0a|Host\: yersinia.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # SUPERSCAN alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; flow:established,to_server; content:"|0d 0a|Host\: foundstone.com/us/resources-free-tools.asp|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # LCP alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD LCP"; flow:established,to_server; content:"|0d 0a|Host\: lcpsoft.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # HPING alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Hping"; flow:established,to_server; content:"|0d 0a|Host\: hping.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # AIRSNORT alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Airsnort"; flow:established,to_server; content:"|0d 0a|Host\: airsnort.shmoo.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # BACKTRACK alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Backtrack"; flow:established,to_server; content:"|0d 0a|Host\: remote-exploit.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # P0F alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; content:"|0d 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # GOOLAG alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Goolag"; flow:established,to_server; content:"|0d 0a|Host\: goolag.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # WEBSCARAB alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; content:"|0d 0a|Host\: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # BURP SUITE alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Burp Suite"; flow:established,to_server; content:"|0d 0a|Host\: portswigger.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # RAT PROXY alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Rat Proxy"; flow:established,to_server; content:"|0d 0a|Host\: code.google.com/p/ratproxy/downloads/list|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # PROXMON alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD ProxMon"; flow:established,to_server; content:"|0d 0a|Host\: isecpartners.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # PANTERA alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Pantera"; flow:established,to_server; content:"|0d 0a|Host\: http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Stu dio_Project|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # RARCRACK alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD RarCrack"; flow:established,to_server; content:"|0d 0a|Host\: sourceforge.net/projects/rarcrack|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # NBTSCAN alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD NBTscan"; flow:established,to_server; content:"|0d 0a|Host\: inetcat.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # XPROBE2 alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Xprobe2"; flow:established,to_server; content:"|0d 0a|Host\: ofirarkin.wordpress.com/xprobe|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # SOLARWINDS alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD SolarWinds"; flow:established,to_server; content:"|0d 0a|Host\: solarwinds.com/downloads|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # PWDUMP alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD PWdump"; flow:established,to_server; content:"|0d 0a|Host\: swamp.foofus.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # W3AF alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD W3AF"; flow:established,to_server; content:"|0d 0a|Host\: w3af.sourceforge.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # RAINBOWCRACK alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD RainbowCrack"; flow:established,to_server; content:"|0d 0a|Host\: project-rainbowcrack.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # ANGRY IP SCANNER alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Angry IP Scanner"; flow:established,to_server; content:"|0d 0a|Host\: angryip.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # IKE SCAN alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Ike Scan"; flow:established,to_server; content:"|0d 0a|Host\: nta-monitor.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # KISMAC alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Kismac"; flow:established,to_server; content:"|0d 0a|Host\: kismac-ng.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # OPEN-BSD PF alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD OpenBSD PF"; flow:established,to_server; content:"|0d 0a|Host\: Benzedrine.cx|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # NEMESIS alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Nemesis"; flow:established,to_server; content:"|0d 0a|Host\: nemesis.sourceforge.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # KNOPPIX alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Knoppix"; flow:established,to_server; content:"|0d 0a|Host\: knoppix.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # SPIKE PROXY alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Spike Proxy"; flow:established,to_server; content:"|0d 0a|Host\: immunitysec.com/resources-freesoftware.shtml|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # X SCAN alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD X Scan"; flow:established,to_server; content:"|0d 0a|Host\: xfocus.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # WHISKER alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Whisker"; flow:established,to_server; content:"|0d 0a|Host\: wiretrip.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # THESE SOFTWARE DEVELOPERS HAVE SEVERAL APPS, BUT WHISKER / LIBWHISKER IS THE MOST WELL KNOWN # SARA alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD SARA"; flow:established,to_server; content:"|0d 0a|Host\: www-arc.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # CHEOPS alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Cheops"; flow:established,to_server; content:"|0d 0a|Host\: cheops-ng.sourceforge.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # BRUTUS alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Brutus"; flow:established,to_server; content:"|0d 0a|Host\: hoobie.net|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # UNICORNSCAN alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD UnicornScan"; flow:established,to_server; content:"|0d 0a|Host\: unicornscan.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # S TUNNEL alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD S Tunnel"; flow:established,to_server; content:"|0d 0a|Host\: stunnel.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # HONEYD alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD HoneyD"; flow:established,to_server; content:"|0d 0a|Host\: honeyd.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # NOTE - you can download this app from either HONEYD.ORG or CITI.UMICH.EDU/U/PROVOS/HONEYD - SO HOW WOULD YOU MAKE THE SIG ALERT FOR EITHER URL? # WIKTO alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Wikto"; flow:established,to_server; content:"|0d 0a|Host\: sensepost.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # SAINT alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Saint"; flow:established,to_server; content:"|0d 0a|Host\: saintcorporation.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # N-STEALTH alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD N-Stealth"; flow:established,to_server; content:"|0d 0a|Host\: nstalker.com|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) # ABSINTHE alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET SECURITY TOOL DOWNLOAD Absinthe"; flow:established,to_server; content:"|0d 0a|Host\: 0x90.org|0d 0a|"; nocase; classtype:security-tool-download; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; rev:1;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Thu Feb 4 11:23:20 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 4 Feb 2010 16:23:20 +0000 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <4B6AF283.8000706@jonkmans.com> References: <4B6AF283.8000706@jonkmans.com> Message-ID: Perhaps in policy but $HOME_NEW needs changed to $HOME_NET. Also a uricontent match would help performance. These could be useful for some organisations to have in policy but disabled by default though there is a lot more tools than this list and to list them all would be a task in itself. On 4 February 2010 16:14, Matt Jonkman wrote: > Jared Braverman od Secnap security sent in a large list of download > rules for common and hostile security tools. > > I wanted to run them by the group for review. I'll be getting them tuned > up and into the policy set, but disabled by default. Comments or tweaks > please! > > #by Jared Braverman, Secnap Network Security > > > #NESSUS > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d > 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #NMAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nmap"; flow:established,to_server; content:"|0d > 0a|Host\: nmap.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #WIRESHARK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wireshark"; flow:established,to_server; > content:"|0d 0a|Host\: wireshark.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # RAPID 7 NEXPOSE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rapid 7 Nexpose"; flow:established,to_server; > content:"|0d 0a|Host\: rapid7.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # KISMET > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismet"; flow:established,to_server; content:"|0d > 0a|Host\: kismetwireless.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # JOHN THE RIPPER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD John The Ripper"; flow:established,to_server; > content:"|0d 0a|Host\: openwall.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ETTERCAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ettercap"; flow:established,to_server; > content:"|0d 0a|Host\: ettercap.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NIKTO > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nikto"; flow:established,to_server; content:"|0d > 0a|Host\: cirt.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THC AMAP / HYDRA ETC. > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD THC Amap / Hydra etc"; > flow:established,to_server; content:"|0d 0a|Host\: freeworld.thc.org|0d > 0a|"; nocase; > classtype:security-tool-download;reference:url, > www.Whitehatsecurityresponse.blogspot.com; > sid:3466789; rev:1;) > > # PAROS PROXY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Paros Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: parosproxy.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # DSNIFF / FRAGROUTER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; > flow:established,to_server; content:"|0d 0a|Host\: > monkey.org/~dugsong|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NETSTUMBLER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Netstumbler"; flow:established,to_server; > content:"|0d 0a|Host\: stumbler.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRCRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Aircrack"; flow:established,to_server; > content:"|0d 0a|Host\: aircrack-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SCAPY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Scapy"; flow:established,to_server; content:"|0d > 0a|Host\: secdev.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # YERSINIA > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Yersinia"; flow:established,to_server; > content:"|0d 0a|Host\: yersinia.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SUPERSCAN > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; > flow:established,to_server; content:"|0d 0a|Host\: > foundstone.com/us/resources-free-tools.asp|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # LCP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD LCP"; flow:established,to_server; content:"|0d > 0a|Host\: lcpsoft.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # HPING > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Hping"; flow:established,to_server; content:"|0d > 0a|Host\: hping.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRSNORT > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Airsnort"; flow:established,to_server; > content:"|0d 0a|Host\: airsnort.shmoo.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # BACKTRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Backtrack"; flow:established,to_server; > content:"|0d 0a|Host\: remote-exploit.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # P0F > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; content:"|0d > 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # GOOLAG > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Goolag"; flow:established,to_server; content:"|0d > 0a|Host\: goolag.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # WEBSCARAB > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BURP SUITE > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Burp Suite"; flow:established,to_server; > content:"|0d 0a|Host\: portswigger.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAT PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rat Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: code.google.com/p/ratproxy/downloads/list|0d > 0a| "; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PROXMON > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD ProxMon"; flow:established,to_server; > content:"|0d 0a|Host\: isecpartners.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PANTERA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Pantera"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Stu > dio_Project|0d0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RARCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RarCrack"; flow:established,to_server; > content:"|0d 0a|Host\: sourceforge.net/projects/rarcrack|0d0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NBTSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD NBTscan"; flow:established,to_server; > content:"|0d 0a|Host\: inetcat.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # XPROBE2 > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Xprobe2"; flow:established,to_server; > content:"|0d 0a|Host\: ofirarkin.wordpress.com/xprobe|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SOLARWINDS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SolarWinds"; flow:established,to_server; > content:"|0d 0a|Host\: solarwinds.com/downloads|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PWDUMP > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD PWdump"; flow:established,to_server; content:"|0d > 0a|Host\: swamp.foofus.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # W3AF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD W3AF"; flow:established,to_server; content:"|0d > 0a|Host\: w3af.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAINBOWCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RainbowCrack"; flow:established,to_server; > content:"|0d 0a|Host\: project-rainbowcrack.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # ANGRY IP SCANNER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Angry IP Scanner"; flow:established,to_server; > content:"|0d 0a|Host\: angryip.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # IKE SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ike Scan"; flow:established,to_server; > content:"|0d 0a|Host\: nta-monitor.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KISMAC > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismac"; flow:established,to_server; content:"|0d > 0a|Host\: kismac-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # OPEN-BSD PF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD OpenBSD PF"; flow:established,to_server; > content:"|0d 0a|Host\: Benzedrine.cx|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NEMESIS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nemesis"; flow:established,to_server; > content:"|0d 0a|Host\: nemesis.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KNOPPIX > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Knoppix"; flow:established,to_server; > content:"|0d 0a|Host\: knoppix.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SPIKE PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Spike Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: immunitysec.com/resources-freesoftware.shtml|0d > 0a| "; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # X SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD X Scan"; flow:established,to_server; content:"|0d > 0a|Host\: xfocus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # WHISKER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Whisker"; flow:established,to_server; > content:"|0d 0a|Host\: wiretrip.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THESE SOFTWARE DEVELOPERS HAVE SEVERAL APPS, BUT WHISKER / LIBWHISKER > IS THE MOST WELL KNOWN > > > > # SARA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SARA"; flow:established,to_server; content:"|0d > 0a|Host\: www-arc.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # CHEOPS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Cheops"; flow:established,to_server; content:"|0d > 0a|Host\: cheops-ng.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BRUTUS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Brutus"; flow:established,to_server; content:"|0d > 0a|Host\: hoobie.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # UNICORNSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD UnicornScan"; flow:established,to_server; > content:"|0d 0a|Host\: unicornscan.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # S TUNNEL > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD S Tunnel"; flow:established,to_server; > content:"|0d 0a|Host\: stunnel.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # HONEYD > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD HoneyD"; flow:established,to_server; content:"|0d > 0a|Host\: honeyd.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NOTE - you can download this app from either HONEYD.ORG or > CITI.UMICH.EDU/U/PROVOS/HONEYD - SO HOW WOULD YOU MAKE THE SIG > ALERT FOR EITHER URL? > > > > # WIKTO > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wikto"; flow:established,to_server; content:"|0d > 0a|Host\: sensepost.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SAINT > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Saint"; flow:established,to_server; content:"|0d > 0a|Host\: saintcorporation.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # N-STEALTH > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD N-Stealth"; flow:established,to_server; > content:"|0d 0a|Host\: nstalker.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ABSINTHE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Absinthe"; flow:established,to_server; > content:"|0d 0a|Host\: 0x90.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/1abe96a7/attachment-0001.html From jonkman at jonkmans.com Thu Feb 4 11:25:27 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 11:25:27 -0500 Subject: [Emerging-Sigs] 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners In-Reply-To: <4B6AEAC3.4010809@mare-system.de> References: <4B6AEAC3.4010809@mare-system.de> Message-ID: <4B6AF4F7.1020407@jonkmans.com> On 2/4/10 10:41 AM, Markus Manzke wrote: > > # HTTP-TRACE Request > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:16000057; rev:8;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB_SERVER POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:16000058; rev:8;) Posting these, good idea Markus! > > > > # Proxy-Scanner - 1 > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (proxyjudge) "; flow:established,to_server; content:"GET http\://proxyjudge1.proxyfire.net/fastenv"; depth:46; classtype:bad-unknown; sid:11220061; rev:1;) > This is just one of thousands of proxy judges. Is there something special about this one? > # Proxy-Scanner - 2 > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"|0d 0a|User-Agent|3a| webcollage/1.135a"; nocase; classtype:bad-unknown; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; sid:11220062; rev:1;) > Posting this, good find! Matt > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mike.cox52 at gmail.com Thu Feb 4 11:26:32 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Thu, 4 Feb 2010 10:26:32 -0600 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <4B6AF283.8000706@jonkmans.com> References: <4B6AF283.8000706@jonkmans.com> Message-ID: <6116b9e21002040826qb778004y88b7970ed9f1d5b7@mail.gmail.com> Well, all this detects is HTTP 1.1 access to certain sites, not tool downloads. You could add uricontent or content keywords to detect the actual file/installer download. Something like uricontent:".exe";, uricontent:".tgz";, or "uricontent:".zip";, depending on how the tool download is packaged. -Mike Cox On Thu, Feb 4, 2010 at 10:14 AM, Matt Jonkman wrote: > Jared Braverman od Secnap security sent in a large list of download > rules for common and hostile security tools. > > I wanted to run them by the group for review. I'll be getting them tuned > up and into the policy set, but disabled by default. Comments or tweaks > please! > > #by Jared Braverman, Secnap Network Security > > > #NESSUS > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d > 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #NMAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nmap"; flow:established,to_server; content:"|0d > 0a|Host\: nmap.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #WIRESHARK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wireshark"; flow:established,to_server; > content:"|0d 0a|Host\: wireshark.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # RAPID 7 NEXPOSE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rapid 7 Nexpose"; flow:established,to_server; > content:"|0d 0a|Host\: rapid7.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # KISMET > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismet"; flow:established,to_server; content:"|0d > 0a|Host\: kismetwireless.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # JOHN THE RIPPER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD John The Ripper"; flow:established,to_server; > content:"|0d 0a|Host\: openwall.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ETTERCAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ettercap"; flow:established,to_server; > content:"|0d 0a|Host\: ettercap.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NIKTO > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nikto"; flow:established,to_server; content:"|0d > 0a|Host\: cirt.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THC AMAP / HYDRA ETC. > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD THC Amap / Hydra etc"; > flow:established,to_server; content:"|0d 0a|Host\: freeworld.thc.org|0d > 0a|"; nocase; > classtype:security-tool-download;reference:url, > www.Whitehatsecurityresponse.blogspot.com; > sid:3466789; rev:1;) > > # PAROS PROXY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Paros Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: parosproxy.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # DSNIFF / FRAGROUTER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; > flow:established,to_server; content:"|0d 0a|Host\: > monkey.org/~dugsong|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NETSTUMBLER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Netstumbler"; flow:established,to_server; > content:"|0d 0a|Host\: stumbler.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRCRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Aircrack"; flow:established,to_server; > content:"|0d 0a|Host\: aircrack-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SCAPY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Scapy"; flow:established,to_server; content:"|0d > 0a|Host\: secdev.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # YERSINIA > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Yersinia"; flow:established,to_server; > content:"|0d 0a|Host\: yersinia.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SUPERSCAN > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; > flow:established,to_server; content:"|0d 0a|Host\: > foundstone.com/us/resources-free-tools.asp|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # LCP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD LCP"; flow:established,to_server; content:"|0d > 0a|Host\: lcpsoft.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # HPING > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Hping"; flow:established,to_server; content:"|0d > 0a|Host\: hping.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRSNORT > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Airsnort"; flow:established,to_server; > content:"|0d 0a|Host\: airsnort.shmoo.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # BACKTRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Backtrack"; flow:established,to_server; > content:"|0d 0a|Host\: remote-exploit.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # P0F > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; content:"|0d > 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # GOOLAG > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Goolag"; flow:established,to_server; content:"|0d > 0a|Host\: goolag.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # WEBSCARAB > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BURP SUITE > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Burp Suite"; flow:established,to_server; > content:"|0d 0a|Host\: portswigger.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAT PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rat Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: code.google.com/p/ratproxy/downloads/list|0d > 0a| "; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PROXMON > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD ProxMon"; flow:established,to_server; > content:"|0d 0a|Host\: isecpartners.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PANTERA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Pantera"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Stu > dio_Project|0d0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RARCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RarCrack"; flow:established,to_server; > content:"|0d 0a|Host\: sourceforge.net/projects/rarcrack|0d0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NBTSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD NBTscan"; flow:established,to_server; > content:"|0d 0a|Host\: inetcat.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # XPROBE2 > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Xprobe2"; flow:established,to_server; > content:"|0d 0a|Host\: ofirarkin.wordpress.com/xprobe|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SOLARWINDS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SolarWinds"; flow:established,to_server; > content:"|0d 0a|Host\: solarwinds.com/downloads|0d0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PWDUMP > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD PWdump"; flow:established,to_server; content:"|0d > 0a|Host\: swamp.foofus.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # W3AF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD W3AF"; flow:established,to_server; content:"|0d > 0a|Host\: w3af.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAINBOWCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RainbowCrack"; flow:established,to_server; > content:"|0d 0a|Host\: project-rainbowcrack.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # ANGRY IP SCANNER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Angry IP Scanner"; flow:established,to_server; > content:"|0d 0a|Host\: angryip.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # IKE SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ike Scan"; flow:established,to_server; > content:"|0d 0a|Host\: nta-monitor.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KISMAC > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismac"; flow:established,to_server; content:"|0d > 0a|Host\: kismac-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # OPEN-BSD PF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD OpenBSD PF"; flow:established,to_server; > content:"|0d 0a|Host\: Benzedrine.cx|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NEMESIS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nemesis"; flow:established,to_server; > content:"|0d 0a|Host\: nemesis.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KNOPPIX > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Knoppix"; flow:established,to_server; > content:"|0d 0a|Host\: knoppix.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SPIKE PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Spike Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: immunitysec.com/resources-freesoftware.shtml|0d > 0a| "; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # X SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD X Scan"; flow:established,to_server; content:"|0d > 0a|Host\: xfocus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # WHISKER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Whisker"; flow:established,to_server; > content:"|0d 0a|Host\: wiretrip.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THESE SOFTWARE DEVELOPERS HAVE SEVERAL APPS, BUT WHISKER / LIBWHISKER > IS THE MOST WELL KNOWN > > > > # SARA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SARA"; flow:established,to_server; content:"|0d > 0a|Host\: www-arc.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # CHEOPS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Cheops"; flow:established,to_server; content:"|0d > 0a|Host\: cheops-ng.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BRUTUS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Brutus"; flow:established,to_server; content:"|0d > 0a|Host\: hoobie.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # UNICORNSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD UnicornScan"; flow:established,to_server; > content:"|0d 0a|Host\: unicornscan.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # S TUNNEL > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD S Tunnel"; flow:established,to_server; > content:"|0d 0a|Host\: stunnel.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # HONEYD > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD HoneyD"; flow:established,to_server; content:"|0d > 0a|Host\: honeyd.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NOTE - you can download this app from either HONEYD.ORG or > CITI.UMICH.EDU/U/PROVOS/HONEYD - SO HOW WOULD YOU MAKE THE SIG > ALERT FOR EITHER URL? > > > > # WIKTO > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wikto"; flow:established,to_server; content:"|0d > 0a|Host\: sensepost.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SAINT > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Saint"; flow:established,to_server; content:"|0d > 0a|Host\: saintcorporation.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # N-STEALTH > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD N-Stealth"; flow:established,to_server; > content:"|0d 0a|Host\: nstalker.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ABSINTHE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Absinthe"; flow:established,to_server; > content:"|0d 0a|Host\: 0x90.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/b0bb9c45/attachment-0001.html From jonkman at jonkmans.com Thu Feb 4 11:36:32 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 11:36:32 -0500 Subject: [Emerging-Sigs] 4 new Sigs (including one for IE Dynamic Object Tag Information Disclosure 2010-0255) In-Reply-To: References: Message-ID: <4B6AF790.3020401@jonkmans.com> Posted the first two. Comments on the second two below: On 2/4/10 7:29 AM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX WScript.Shell Function Call Attempt - Likely Hostile"; > flow:to_client,established; content:"ActiveXObject"; nocase; > content:"WScript.Shell"; nocase; distance:0; classtype:attempted-user; > reference:url,msdn.microsoft.com/en-us/library/aew9yb99(VS.85).aspx > ; > sid:1320003; rev:1;) I'd like something more here. Just have the two terms on a page will trip the sig. Anything better we can do? > > # Also you missed this sig for the initial call home of the sasfis > botnet (I submitted this one and also one for the report back after > executing the command instruction. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Sasfis Botnet C&C Initial Checkin"; flow:established,to_server; > uricontent:"/master/bb.php"; nocase; uricontent:"id="; nocase; > uricontent:"v="; nocase; uricontent:"tm="; uricontent:"b="; nocase; > pcre:"/\x2Fmaster\x2Fbb\x2Ephp.+b\x3B[0-9].+v\x3D[0-9]rm\x3D[0-9].+b\x3D/Ui"; > classtype:trojan-activity; > reference:url,www.fortiguard.com/analysis/sasfisanalysis.html > ; sid:1330001; rev:1 > Integrated into another sig that is, or about to be posted. More general one. Thanks! Matt > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Feb 4 11:46:39 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 04 Feb 2010 11:46:39 -0500 Subject: [Emerging-Sigs] Rule question In-Reply-To: References: Message-ID: <4B6AF9EF.8080407@jonkmans.com> You can add the R to pcre to make it relative to the last match. (IIRC) Matt On 2/4/10 7:39 AM, spiffy pickle wrote: > Hi everyone, > I have a question regarding pcre and the depth, offset, distance, > within qualifiers. I can't seem to find any documentation pointing one > way or the other. Can you use those qualifiers with pcre? Does the pcre > engine care about the where the content match pointer is pointing? > > Much thanks, > SP > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mail at mare-system.de Thu Feb 4 11:51:28 2010 From: mail at mare-system.de (mex) Date: Thu, 04 Feb 2010 17:51:28 +0100 Subject: [Emerging-Sigs] [Fwd: Re: 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners] Message-ID: <4B6AFB10.10109@mare-system.de> >> # Proxy-Scanner - 1 >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (proxyjudge) "; flow:established,to_server; content:"GET http\://proxyjudge1.proxyfire.net/fastenv"; depth:46; classtype:bad-unknown; sid:11220061; rev:1;) >> > > This is just one of thousands of proxy judges. Is there something > special about this one? beside a regular occurence 50 times a day for each webserver-ip there's nothing special about this; when you search the web http://www.google.de/search?client=opera&rls=de&q=%22GET+http://proxyjudge1.proxyfire.net/fastenv+HTTP/1.1%22&sourceid=opera&ie=utf-8&oe=utf-8 you'll find this beeing seen in the logs for a year now. mex From mail at mare-system.de Thu Feb 4 11:54:36 2010 From: mail at mare-system.de (mex) Date: Thu, 04 Feb 2010 17:54:36 +0100 Subject: [Emerging-Sigs] Proposed Sec Tool download rules Message-ID: <4B6AFBCC.9020009@mare-system.de> i miss metasploit ;-) beside this, matching the host only will fp alot, uricontents will be much more accurate and i found some strange host-fields (host + url, sometimes with http://, i don't know if this is valid), see examples below > # DSNIFF / FRAGROUTER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; > flow:established,to_server; ** content:"|0d 0a|Host\: monkey.org/~dugsong|0d 0a|"; ** > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SUPERSCAN > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; > flow:established,to_server; ** content:"|0d 0a|Host\: foundstone.com/us/resources-free-tools.asp|0d 0a|"; ** > nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > > # P0F > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; ** content:"|0d 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d 0a|"; ** > nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # WEBSCARAB > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; ** content:"|0d 0a|Host\: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d 0a|"; ** > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > ... and so on ... oh, and i wouldn't consider hping a security-tool mex From eslerj at gmail.com Thu Feb 4 12:07:52 2010 From: eslerj at gmail.com (Joel Esler) Date: Thu, 4 Feb 2010 12:07:52 -0500 Subject: [Emerging-Sigs] Rule question In-Reply-To: <4B6AF9EF.8080407@jonkmans.com> References: <4B6AF9EF.8080407@jonkmans.com> Message-ID: <314cf0831002040907q28ce9fbk4909f96c3c3b7bfa@mail.gmail.com> Correct. Read the response over on the Snort-Sigs list. J On Thu, Feb 4, 2010 at 11:46 AM, Matt Jonkman wrote: > You can add the R to pcre to make it relative to the last match. (IIRC) > > Matt > > On 2/4/10 7:39 AM, spiffy pickle wrote: > > Hi everyone, > > I have a question regarding pcre and the depth, offset, distance, > > within qualifiers. I can't seem to find any documentation pointing one > > way or the other. Can you use those qualifiers with pcre? Does the pcre > > engine care about the where the content match pointer is pointing? > > > > Much thanks, > > SP > > > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100204/8a1d1ea0/attachment.html From spooker at gmail.com Thu Feb 4 12:36:41 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Thu, 4 Feb 2010 15:36:41 -0200 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <4B6AF283.8000706@jonkmans.com> References: <4B6AF283.8000706@jonkmans.com> Message-ID: <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> I think it'll generate FP because if I only access the website that means that I'm downloading something . - First I think some threshold should be mandatory . - Another point maybe you saw already he uses var $HOME_NEW not HOME_NET =) - more information and paths could made those rules much better. Thats my opinion . Regards, On Thu, Feb 4, 2010 at 2:14 PM, Matt Jonkman wrote: > Jared Braverman od Secnap security sent in a large list of download > rules for common and hostile security tools. > > I wanted to run them by the group for review. I'll be getting them tuned > up and into the policy set, but disabled by default. Comments or tweaks > please! > > #by Jared Braverman, Secnap Network Security > > > #NESSUS > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d > 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #NMAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nmap"; flow:established,to_server; content:"|0d > 0a|Host\: nmap.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > #WIRESHARK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wireshark"; flow:established,to_server; > content:"|0d 0a|Host\: wireshark.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # RAPID 7 NEXPOSE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rapid 7 Nexpose"; flow:established,to_server; > content:"|0d 0a|Host\: rapid7.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # KISMET > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismet"; flow:established,to_server; content:"|0d > 0a|Host\: kismetwireless.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # JOHN THE RIPPER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD John The Ripper"; flow:established,to_server; > content:"|0d 0a|Host\: openwall.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ETTERCAP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ettercap"; flow:established,to_server; > content:"|0d 0a|Host\: ettercap.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NIKTO > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nikto"; flow:established,to_server; content:"|0d > 0a|Host\: cirt.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THC AMAP / HYDRA ETC. > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD THC Amap / Hydra etc"; > flow:established,to_server; content:"|0d 0a|Host\: freeworld.thc.org|0d > 0a|"; nocase; > classtype:security-tool-download;reference:url,www.Whitehatsecurityresponse.blogspot.com; > sid:3466789; rev:1;) > > # PAROS PROXY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Paros Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: parosproxy.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # DSNIFF / FRAGROUTER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; > flow:established,to_server; content:"|0d 0a|Host\: > monkey.org/~dugsong|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NETSTUMBLER > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Netstumbler"; flow:established,to_server; > content:"|0d 0a|Host\: stumbler.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRCRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Aircrack"; flow:established,to_server; > content:"|0d 0a|Host\: aircrack-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SCAPY > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Scapy"; flow:established,to_server; content:"|0d > 0a|Host\: secdev.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # YERSINIA > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Yersinia"; flow:established,to_server; > content:"|0d 0a|Host\: yersinia.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # SUPERSCAN > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; > flow:established,to_server; content:"|0d 0a|Host\: > foundstone.com/us/resources-free-tools.asp|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # LCP > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD LCP"; flow:established,to_server; content:"|0d > 0a|Host\: lcpsoft.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # HPING > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Hping"; flow:established,to_server; content:"|0d > 0a|Host\: hping.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # AIRSNORT > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Airsnort"; flow:established,to_server; > content:"|0d 0a|Host\: airsnort.shmoo.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # BACKTRACK > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Backtrack"; flow:established,to_server; > content:"|0d 0a|Host\: remote-exploit.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # P0F > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; content:"|0d > 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # GOOLAG > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Goolag"; flow:established,to_server; content:"|0d > 0a|Host\: goolag.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # WEBSCARAB > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d 0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BURP SUITE > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Burp Suite"; flow:established,to_server; > content:"|0d 0a|Host\: portswigger.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAT PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Rat Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: code.google.com/p/ratproxy/downloads/list|0d > 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PROXMON > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD ProxMon"; flow:established,to_server; > content:"|0d 0a|Host\: isecpartners.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PANTERA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Pantera"; flow:established,to_server; > content:"|0d 0a|Host\: > http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Stu > dio_Project|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RARCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RarCrack"; flow:established,to_server; > content:"|0d 0a|Host\: sourceforge.net/projects/rarcrack|0d 0a|"; > nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NBTSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD NBTscan"; flow:established,to_server; > content:"|0d 0a|Host\: inetcat.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # XPROBE2 > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Xprobe2"; flow:established,to_server; > content:"|0d 0a|Host\: ofirarkin.wordpress.com/xprobe|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SOLARWINDS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SolarWinds"; flow:established,to_server; > content:"|0d 0a|Host\: solarwinds.com/downloads|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # PWDUMP > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD PWdump"; flow:established,to_server; content:"|0d > 0a|Host\: swamp.foofus.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # W3AF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD W3AF"; flow:established,to_server; content:"|0d > 0a|Host\: w3af.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # RAINBOWCRACK > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD RainbowCrack"; flow:established,to_server; > content:"|0d 0a|Host\: project-rainbowcrack.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # ANGRY IP SCANNER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Angry IP Scanner"; flow:established,to_server; > content:"|0d 0a|Host\: angryip.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # IKE SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Ike Scan"; flow:established,to_server; > content:"|0d 0a|Host\: nta-monitor.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KISMAC > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Kismac"; flow:established,to_server; content:"|0d > 0a|Host\: kismac-ng.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # OPEN-BSD PF > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD OpenBSD PF"; flow:established,to_server; > content:"|0d 0a|Host\: Benzedrine.cx|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # NEMESIS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Nemesis"; flow:established,to_server; > content:"|0d 0a|Host\: nemesis.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # KNOPPIX > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Knoppix"; flow:established,to_server; > content:"|0d 0a|Host\: knoppix.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SPIKE PROXY > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Spike Proxy"; flow:established,to_server; > content:"|0d 0a|Host\: immunitysec.com/resources-freesoftware.shtml|0d > 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # X SCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD X Scan"; flow:established,to_server; content:"|0d > 0a|Host\: xfocus.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # WHISKER > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Whisker"; flow:established,to_server; > content:"|0d 0a|Host\: wiretrip.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # THESE SOFTWARE DEVELOPERS HAVE SEVERAL APPS, BUT WHISKER / LIBWHISKER > IS THE MOST WELL KNOWN > > > > # SARA > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD SARA"; flow:established,to_server; content:"|0d > 0a|Host\: www-arc.com|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # CHEOPS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Cheops"; flow:established,to_server; content:"|0d > 0a|Host\: cheops-ng.sourceforge.net|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # BRUTUS > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Brutus"; flow:established,to_server; content:"|0d > 0a|Host\: hoobie.net|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # UNICORNSCAN > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD UnicornScan"; flow:established,to_server; > content:"|0d 0a|Host\: unicornscan.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # S TUNNEL > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD S Tunnel"; flow:established,to_server; > content:"|0d 0a|Host\: stunnel.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # HONEYD > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD HoneyD"; flow:established,to_server; content:"|0d > 0a|Host\: honeyd.org|0d 0a|"; nocase; classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # NOTE - you can download this app from either HONEYD.ORG or > CITI.UMICH.EDU/U/PROVOS/HONEYD ? ? ? ? - ?SO HOW WOULD YOU MAKE THE SIG > ALERT FOR EITHER URL? > > > > # WIKTO > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Wikto"; flow:established,to_server; content:"|0d > 0a|Host\: sensepost.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > # SAINT > > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Saint"; flow:established,to_server; content:"|0d > 0a|Host\: saintcorporation.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # N-STEALTH > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD N-Stealth"; flow:established,to_server; > content:"|0d 0a|Host\: nstalker.com|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > # ABSINTHE > alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > SECURITY TOOL DOWNLOAD Absinthe"; flow:established,to_server; > content:"|0d 0a|Host\: 0x90.org|0d 0a|"; nocase; > classtype:security-tool-download; > reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > rev:1;) > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From phatbuckett at gmail.com Thu Feb 4 15:45:55 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 4 Feb 2010 13:45:55 -0700 Subject: [Emerging-Sigs] Help In-Reply-To: References: Message-ID: <839aec701002041245x65d76ademe70b4a23aed2ebd7@mail.gmail.com> Running into more misnamed detections due to this rule, thanks to Oficla downloaders distributing variants and popping up more frequently. Rule mod for review: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; sid:2010071; rev:3;) I added the pcre to tighten the matches and avoid FPs. I had a pcap ranging in length from 306-468 characters, so bumping down to 250 min sounds reasonable for outliers. DS On Fri, Jan 29, 2010 at 1:00 PM, Paul Schmehl wrote: > According to this page: > http://www.threatexpert.com/report.aspx?md5=e21b03355a2d11881f1035c9c52407e2 > > This: > http://191507d91017.giselin.com/ > get.php?c=QPTUDBSV&d=26606B6739323E352E64636F317E3 > E3D21262224242C3062717D2729245F2D5B136416671210651 > 36E1C1913196E1A1774040504000D73730F7F021D5F51485A3 > 27C75736224222A75786C243F3B2B3D6D647C6272213F34336.. > > is a trojan downloader named Mufanom.dyk (Kaspersky), or Hiloti (Ikarus) or > Multidropper (McAfee). > > We've been tracking multiple machines, Windows and Macs, and now an iPhone!, > connecting to a single IP address (94.75.221.72), using multiple hostnames with > a suspiciously malwarish pattern: > > 152807da0129.truminfi.com > 172807da0130.truminfi.com > 172807da0130.truminfi.com > 222807da0108.noteau.com > 212807da0108.burrova.com > 232807da0102.chrinius.com > 132907da013b.noteau.com > 162097da0103.noteau.com > 182907da0104.noteau.com > 192907da0118.burrova.com > 192907da011b.burrova.com > 192907da011b.chrinius.com > > All of these hosts trip the same alert: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab > Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; > nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010071; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; > sid:2010071; rev:2;) > > I have a pcap (and I'm still capturing) which I would be happy to provide for > anyone who emails me privately. ?We've been taking these boxes off the net and > formatting them. ?Now I find myself wondering, what the hell is this thing? ?If > you go to the IP in your browser, it's a file upload site. ?If you do digs on > all the hosts above **every one of them** resolves to this IP. > > What the heck is this???? > > > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > "It is as useless to argue with those who have > renounced the use of reason as to administer > medication to the dead." Thomas Jefferson > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Thu Feb 4 16:00:12 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 4 Feb 2010 16:00:12 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100204210012.5678C45052@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Feb 4 16:00:12 2010 [***] [+++] Added rules: [+++] 2010764 - ET TROJAN Oficla Checkin (2) (emerging-virus.rules) 2010765 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) (emerging-virus.rules) 2010766 - ET POLICY Proxy TRACE Request - inbound (emerging-policy.rules) 2010767 - ET POLICY TRACE Request - outbound (emerging-policy.rules) 2010768 - WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) (emerging-user_agents.rules) [///] Modified active rules: [///] 2008324 - ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin (emerging-virus.rules) 2008325 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (emerging-virus.rules) 2010148 - ET CURRENT_EVENTS DHL Spam Inbound (emerging-current_events.rules) 2010743 - ET TROJAN Oficla Checkin (1) (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (2): #by Markus Manzke # HTTP-TRACE Request -> Added to emerging-sid-msg.map (8): 2008324 || ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2008325 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 -> Added to emerging-sid-msg.map.txt (8): 2008324 || ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2008325 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 -> Added to emerging-user_agents.rules (2): #by markus manzke # Proxy-Scanner - 2 -> Added to emerging-virus.rules (2): #by evilghost and darren spruell and mike cox and crew #updates by darren spruell [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (11): 2008324 || ET TROJAN Socks/Sality manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 2008325 || ET TROJAN Socks/Sality HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 2010743 || ET TROJAN Oficla Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (11): 2008324 || ET TROJAN Socks/Sality manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 2008325 || ET TROJAN Socks/Sality HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 2010743 || ET TROJAN Oficla Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-virus.rules (1): #by evilghost and darren spruell From signatures at stillsecure.com Fri Feb 5 05:07:17 2010 From: signatures at stillsecure.com (signatures) Date: Fri, 5 Feb 2010 03:07:17 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Feb 05th, 2010 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2950@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_messages.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9939; rev:1;) 2. WEB-PHP asaher pro view_blog_comments.php Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro view_blog_comments.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9940; rev:1;) 3. WEB-PHP asaher pro view_blog_archives.php Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro view_blog_archives.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_archives.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9941; rev:1;) 4. WEB-PHP asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/add_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9942; rev:1;) 5. WEB-PHP asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/downloads.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9943; rev:1;) 6. WEB-PHP asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/emailsender.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9944; rev:1;) 7. WEB-PHP asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/left_menu.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; sid:9945; rev:1;) 8. WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; content:"clsid"; nocase; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; distance:0; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; classtype:attempted-user; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; sid:9701; rev:1;) 9. WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; content:"clsid"; nocase; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; distance:0; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; classtype:attempted-user; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; sid:9702; rev:1;) 10. WEB-PHP Joomla mediaslide component viewer.php path Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/components/com_mediaslide/viewer.php?"; nocase; uricontent:"path="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:bugtraq,37440; sid:9902; rev:1;) Looking forward for your inputs, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100205/e93564f6/attachment-0001.html From spooker at gmail.com Fri Feb 5 07:47:23 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Fri, 5 Feb 2010 10:47:23 -0200 Subject: [Emerging-Sigs] SidReporter pointing to wrong VRT rules information Message-ID: <9255886c1002050447w1e0d5d6ja0c71fb167fa75cd@mail.gmail.com> Matt, Sidreporter ( http://www.emergingthreats.net/index.php/sidreporter-statistics.html ) is pointing to old VRT information at snort.org website. Sidreport is pointing to http://www.snort.org/pub-bin/sigs.cgi?sid=498 You should use http://www.snort.org/search/sid/498 ET rules is working fine the reference =) Regards, -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From jonkman at jonkmans.com Fri Feb 5 08:12:09 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 05 Feb 2010 08:12:09 -0500 Subject: [Emerging-Sigs] SidReporter pointing to wrong VRT rules information In-Reply-To: <9255886c1002050447w1e0d5d6ja0c71fb167fa75cd@mail.gmail.com> References: <9255886c1002050447w1e0d5d6ja0c71fb167fa75cd@mail.gmail.com> Message-ID: <4B6C1929.70308@jonkmans.com> Fixed up, thanks for pointing that out Rodrigo! Matt On 2/5/10 7:47 AM, Rodrigo Montoro(Sp0oKeR) wrote: > Matt, > > Sidreporter ( http://www.emergingthreats.net/index.php/sidreporter-statistics.html > ) is pointing to old VRT information at snort.org website. > > Sidreport is pointing to http://www.snort.org/pub-bin/sigs.cgi?sid=498 > > You should use http://www.snort.org/search/sid/498 > > ET rules is working fine the reference =) > > > Regards, > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Feb 5 09:27:55 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 05 Feb 2010 09:27:55 -0500 Subject: [Emerging-Sigs] Help In-Reply-To: <839aec701002041245x65d76ademe70b4a23aed2ebd7@mail.gmail.com> References: <839aec701002041245x65d76ademe70b4a23aed2ebd7@mail.gmail.com> Message-ID: <4B6C2AEB.2060408@jonkmans.com> Done, thanks Darren! Matt On 2/4/10 3:45 PM, Darren Spruell wrote: > Running into more misnamed detections due to this rule, thanks to > Oficla downloaders distributing variants and popping up more > frequently. Rule mod for review: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; > uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; > pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; > classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; > reference:url,doc.emergingthreats.net/2010071; sid:2010071; rev:3;) > > I added the pcre to tighten the matches and avoid FPs. I had a pcap > ranging in length from 306-468 characters, so bumping down to 250 min > sounds reasonable for outliers. > > DS > > > On Fri, Jan 29, 2010 at 1:00 PM, Paul Schmehl wrote: >> According to this page: >> http://www.threatexpert.com/report.aspx?md5=e21b03355a2d11881f1035c9c52407e2 >> >> This: >> http://191507d91017.giselin.com/ >> get.php?c=QPTUDBSV&d=26606B6739323E352E64636F317E3 >> E3D21262224242C3062717D2729245F2D5B136416671210651 >> 36E1C1913196E1A1774040504000D73730F7F021D5F51485A3 >> 27C75736224222A75786C243F3B2B3D6D647C6272213F34336.. >> >> is a trojan downloader named Mufanom.dyk (Kaspersky), or Hiloti (Ikarus) or >> Multidropper (McAfee). >> >> We've been tracking multiple machines, Windows and Macs, and now an iPhone!, >> connecting to a single IP address (94.75.221.72), using multiple hostnames with >> a suspiciously malwarish pattern: >> >> 152807da0129.truminfi.com >> 172807da0130.truminfi.com >> 172807da0130.truminfi.com >> 222807da0108.noteau.com >> 212807da0108.burrova.com >> 232807da0102.chrinius.com >> 132907da013b.noteau.com >> 162097da0103.noteau.com >> 182907da0104.noteau.com >> 192907da0118.burrova.com >> 192907da011b.burrova.com >> 192907da011b.chrinius.com >> >> All of these hosts trip the same alert: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab >> Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; >> nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; >> classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010071; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; >> sid:2010071; rev:2;) >> >> I have a pcap (and I'm still capturing) which I would be happy to provide for >> anyone who emails me privately. We've been taking these boxes off the net and >> formatting them. Now I find myself wondering, what the hell is this thing? If >> you go to the IP in your browser, it's a file upload site. If you do digs on >> all the hosts above **every one of them** resolves to this IP. >> >> What the heck is this???? >> >> >> >> -- >> Paul Schmehl, Senior Infosec Analyst >> As if it wasn't already obvious, my opinions >> are my own and not those of my employer. >> ******************************************* >> "It is as useless to argue with those who have >> renounced the use of reason as to administer >> medication to the dead." Thomas Jefferson >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Feb 5 09:31:42 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 05 Feb 2010 09:31:42 -0500 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> Message-ID: <4B6C2BCE.9050806@jonkmans.com> Ya, I agree. I like the idea, but we need to tighten up some. And some have url's as Host: .... Easily fixable. Anyone willing to hop in and get some more specific url's? I'd rather that vs just host name matches. We can get specific and update them over time. Thanks Jared! Matt On 2/4/10 12:36 PM, Rodrigo Montoro(Sp0oKeR) wrote: > I think it'll generate FP because if I only access the website that > means that I'm downloading something . > > - First I think some threshold should be mandatory . > - Another point maybe you saw already he uses var $HOME_NEW not HOME_NET =) > - more information and paths could made those rules much better. > > Thats my opinion . > > Regards, > > On Thu, Feb 4, 2010 at 2:14 PM, Matt Jonkman wrote: >> Jared Braverman od Secnap security sent in a large list of download >> rules for common and hostile security tools. >> >> I wanted to run them by the group for review. I'll be getting them tuned >> up and into the policy set, but disabled by default. Comments or tweaks >> please! >> >> #by Jared Braverman, Secnap Network Security >> >> >> #NESSUS >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d >> 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> #NMAP >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Nmap"; flow:established,to_server; content:"|0d >> 0a|Host\: nmap.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> #WIRESHARK >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Wireshark"; flow:established,to_server; >> content:"|0d 0a|Host\: wireshark.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # RAPID 7 NEXPOSE >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Rapid 7 Nexpose"; flow:established,to_server; >> content:"|0d 0a|Host\: rapid7.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # KISMET >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Kismet"; flow:established,to_server; content:"|0d >> 0a|Host\: kismetwireless.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # JOHN THE RIPPER >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD John The Ripper"; flow:established,to_server; >> content:"|0d 0a|Host\: openwall.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # ETTERCAP >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Ettercap"; flow:established,to_server; >> content:"|0d 0a|Host\: ettercap.sourceforge.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # NIKTO >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Nikto"; flow:established,to_server; content:"|0d >> 0a|Host\: cirt.net|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # THC AMAP / HYDRA ETC. >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD THC Amap / Hydra etc"; >> flow:established,to_server; content:"|0d 0a|Host\: freeworld.thc.org|0d >> 0a|"; nocase; >> classtype:security-tool-download;reference:url,www.Whitehatsecurityresponse.blogspot.com; >> sid:3466789; rev:1;) >> >> # PAROS PROXY >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Paros Proxy"; flow:established,to_server; >> content:"|0d 0a|Host\: parosproxy.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # DSNIFF / FRAGROUTER >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Dsniff or Fragrouter etc"; >> flow:established,to_server; content:"|0d 0a|Host\: >> monkey.org/~dugsong|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # NETSTUMBLER >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Netstumbler"; flow:established,to_server; >> content:"|0d 0a|Host\: stumbler.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # AIRCRACK >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Aircrack"; flow:established,to_server; >> content:"|0d 0a|Host\: aircrack-ng.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # SCAPY >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Scapy"; flow:established,to_server; content:"|0d >> 0a|Host\: secdev.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # YERSINIA >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Yersinia"; flow:established,to_server; >> content:"|0d 0a|Host\: yersinia.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # SUPERSCAN >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Foundstone Superscan etc"; >> flow:established,to_server; content:"|0d 0a|Host\: >> foundstone.com/us/resources-free-tools.asp|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # LCP >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD LCP"; flow:established,to_server; content:"|0d >> 0a|Host\: lcpsoft.com|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # HPING >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Hping"; flow:established,to_server; content:"|0d >> 0a|Host\: hping.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # AIRSNORT >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Airsnort"; flow:established,to_server; >> content:"|0d 0a|Host\: airsnort.shmoo.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # BACKTRACK >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Backtrack"; flow:established,to_server; >> content:"|0d 0a|Host\: remote-exploit.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # P0F >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD P0F"; flow:established,to_server; content:"|0d >> 0a|Host\: lcamtuf.coredump.cx/p0f.shtml|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # GOOLAG >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Goolag"; flow:established,to_server; content:"|0d >> 0a|Host\: goolag.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # WEBSCARAB >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Webscarab"; flow:established,to_server; >> content:"|0d 0a|Host\: >> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project|0d 0a|"; >> nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # BURP SUITE >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Burp Suite"; flow:established,to_server; >> content:"|0d 0a|Host\: portswigger.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # RAT PROXY >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Rat Proxy"; flow:established,to_server; >> content:"|0d 0a|Host\: code.google.com/p/ratproxy/downloads/list|0d >> 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # PROXMON >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD ProxMon"; flow:established,to_server; >> content:"|0d 0a|Host\: isecpartners.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # PANTERA >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Pantera"; flow:established,to_server; >> content:"|0d 0a|Host\: >> http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Stu >> dio_Project|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # RARCRACK >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD RarCrack"; flow:established,to_server; >> content:"|0d 0a|Host\: sourceforge.net/projects/rarcrack|0d 0a|"; >> nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # NBTSCAN >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD NBTscan"; flow:established,to_server; >> content:"|0d 0a|Host\: inetcat.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # XPROBE2 >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Xprobe2"; flow:established,to_server; >> content:"|0d 0a|Host\: ofirarkin.wordpress.com/xprobe|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # SOLARWINDS >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD SolarWinds"; flow:established,to_server; >> content:"|0d 0a|Host\: solarwinds.com/downloads|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # PWDUMP >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD PWdump"; flow:established,to_server; content:"|0d >> 0a|Host\: swamp.foofus.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # W3AF >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD W3AF"; flow:established,to_server; content:"|0d >> 0a|Host\: w3af.sourceforge.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # RAINBOWCRACK >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD RainbowCrack"; flow:established,to_server; >> content:"|0d 0a|Host\: project-rainbowcrack.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # ANGRY IP SCANNER >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Angry IP Scanner"; flow:established,to_server; >> content:"|0d 0a|Host\: angryip.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # IKE SCAN >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Ike Scan"; flow:established,to_server; >> content:"|0d 0a|Host\: nta-monitor.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # KISMAC >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Kismac"; flow:established,to_server; content:"|0d >> 0a|Host\: kismac-ng.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # OPEN-BSD PF >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD OpenBSD PF"; flow:established,to_server; >> content:"|0d 0a|Host\: Benzedrine.cx|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # NEMESIS >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Nemesis"; flow:established,to_server; >> content:"|0d 0a|Host\: nemesis.sourceforge.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # KNOPPIX >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Knoppix"; flow:established,to_server; >> content:"|0d 0a|Host\: knoppix.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # SPIKE PROXY >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Spike Proxy"; flow:established,to_server; >> content:"|0d 0a|Host\: immunitysec.com/resources-freesoftware.shtml|0d >> 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # X SCAN >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD X Scan"; flow:established,to_server; content:"|0d >> 0a|Host\: xfocus.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # WHISKER >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Whisker"; flow:established,to_server; >> content:"|0d 0a|Host\: wiretrip.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # THESE SOFTWARE DEVELOPERS HAVE SEVERAL APPS, BUT WHISKER / LIBWHISKER >> IS THE MOST WELL KNOWN >> >> >> >> # SARA >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD SARA"; flow:established,to_server; content:"|0d >> 0a|Host\: www-arc.com|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # CHEOPS >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Cheops"; flow:established,to_server; content:"|0d >> 0a|Host\: cheops-ng.sourceforge.net|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # BRUTUS >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Brutus"; flow:established,to_server; content:"|0d >> 0a|Host\: hoobie.net|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # UNICORNSCAN >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD UnicornScan"; flow:established,to_server; >> content:"|0d 0a|Host\: unicornscan.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # S TUNNEL >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD S Tunnel"; flow:established,to_server; >> content:"|0d 0a|Host\: stunnel.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # HONEYD >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD HoneyD"; flow:established,to_server; content:"|0d >> 0a|Host\: honeyd.org|0d 0a|"; nocase; classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # NOTE - you can download this app from either HONEYD.ORG or >> CITI.UMICH.EDU/U/PROVOS/HONEYD - SO HOW WOULD YOU MAKE THE SIG >> ALERT FOR EITHER URL? >> >> >> >> # WIKTO >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Wikto"; flow:established,to_server; content:"|0d >> 0a|Host\: sensepost.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> # SAINT >> >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Saint"; flow:established,to_server; content:"|0d >> 0a|Host\: saintcorporation.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # N-STEALTH >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD N-Stealth"; flow:established,to_server; >> content:"|0d 0a|Host\: nstalker.com|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> # ABSINTHE >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET >> SECURITY TOOL DOWNLOAD Absinthe"; flow:established,to_server; >> content:"|0d 0a|Host\: 0x90.org|0d 0a|"; nocase; >> classtype:security-tool-download; >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; >> rev:1;) >> >> >> -- >> >> ---------------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinfosecfoundation.org >> ---------------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Fri Feb 5 09:49:39 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 5 Feb 2010 14:49:39 +0000 Subject: [Emerging-Sigs] SIG UPDATE: IE Info Disclosure and New IE CVE-2010-0249 srcElement Code Execution Message-ID: The top sig has been modified to include 127.0.0.1 (as this vulnerability seems to be based upon trusted scripting zones in IE). Also a sig for the cve 2010-0249 (i.e the so called aurora attacks) based on some research as to what is actually required. Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt"; flow:established,to_client; content:"document.createElement"; nocase; content:"file|3A|//127.0.0.1"; nocase; within:100; content:"text/html"; nocase; distance:0; content:"document.body.appendChild"; nocase;classtype:attempted-user; reference:url, www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,www.microsoft.com/technet/security/advisory/980088.mspx; reference:cve,2010-0255; sid:2010769; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"="; within:2; content:"|22 22|"; within:3; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:cve,2010-0249; sid:1320005; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100205/11e0e521/attachment.html From spooker at gmail.com Fri Feb 5 10:07:13 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Fri, 5 Feb 2010 13:07:13 -0200 Subject: [Emerging-Sigs] Propose Sigs: Facebook Chat Message-ID: <9255886c1002050707n6627341cvefe1184e1e2f4258@mail.gmail.com> Just sniffed some traffic at facebook chat. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook Chat (send message)";flow:established,to_server;content:"POST ";depth:5;uricontent:"/ajax/chat/send.php";content:"facebook.com";sid:XXXX;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook Chat (buddy list)";flow:established,to_server;content:"POST ";depth:5;uricontent:"/ajax/chat/buddy_list.php";content:"facebook.com";sid:XXXX;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook Chat (settings)";flow:established,to_server;content:"POST ";depth:5;uricontent:"/ajax/chat/settings.php";content:"facebook.com";sid:XXXX;) Regards, -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From frank at knobbe.us Fri Feb 5 10:36:03 2010 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 5 Feb 2010 09:36:03 -0600 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <4B6C2BCE.9050806@jonkmans.com> References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> <4B6C2BCE.9050806@jonkmans.com> Message-ID: <20100205153603.GA67747@knobbe.us> On Fri, Feb 05, 2010 at 09:31:42AM -0500, Matt Jonkman wrote: > Ya, I agree. I like the idea, but we need to tighten up some. And some > have url's as Host: .... Easily fixable. > > Anyone willing to hop in and get some more specific url's? I'd rather > that vs just host name matches. We can get specific and update them over > time. Make sure it's the actual download of the tool, and not just visiting the web site. Based on the proposed rules, all I need to do is browse to www.openwall.com and I'm in trouble. I think only some of those rules make sense. Wouldn't it be better to detect USE of the tool that merely access to its web site? Like the MetaSploit update sig or such. We should detect when tool are run, not when web sites are accessed. Snort isn't a web filter. If you want alerts on web sites, use BlueCoat or similar. -Frank > >> alert tcp $HOME_NEW any -> $EXTERNAL_NET $HTTP_PORTS any (msg:"ET > >> SECURITY TOOL DOWNLOAD Nessus"; flow:established,to_server; content:"|0d > >> 0a|Host\: nessus.org|0d 0a|"; nocase; classtype:security-tool-download; > >> reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:3466789; > >> rev:1;) Tool download?? Hardly. This will trigger if you follow a reference from your Snort portal to look up the signature reference to a Nessus vulnerability description. (If you add a reference to www.nessus.org to this signature, will you create an endless loop? ..lol) From richrumble at gmail.com Fri Feb 5 12:27:23 2010 From: richrumble at gmail.com (Rich Rumble) Date: Fri, 5 Feb 2010 12:27:23 -0500 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <20100205153603.GA67747@knobbe.us> References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> <4B6C2BCE.9050806@jonkmans.com> <20100205153603.GA67747@knobbe.us> Message-ID: > Wouldn't it be better to detect USE of the tool that merely access to > its web site? Like the MetaSploit update sig or such. We should detect when > tool are run, not when web sites are accessed. Snort isn't a web filter. > If you want alerts on web sites, use BlueCoat or similar. I agree, these rules are better suited for a proxy blacklist than ET. I wrote a rule to detect the use of PwDump/FgDump, psexec, rctrlx and others...I sent these in, but they never got posted (2/9/09)? Nonetheless they are here now and I think the detection of their use is where time is better spent. We all know tools have legit purposes, like PsExec for instance, but it can be used for evil as well as good, so we monitor it's use. These work for us, I'm sure they can be improved. #PsExec rule for lan alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY PsExec service created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; reference:url,xinn.org/Snort-psexec.html;classtype:suspicious-filename-detect; sid:999990; rev:1;) #RctrlX rule alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY RemoteControlX, rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html;classtype:suspicious-filename-detect; sid:999991; rev:1;) #GsecDump rule alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT GsecDump, GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html;classtype:suspicious-filename-detect; sid:999992; rev:1;) -rich From spooker at gmail.com Fri Feb 5 12:33:45 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Fri, 5 Feb 2010 15:33:45 -0200 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> <4B6C2BCE.9050806@jonkmans.com> <20100205153603.GA67747@knobbe.us> Message-ID: <9255886c1002050933l4af19519g4460036e997652c5@mail.gmail.com> Rich, I agreed with you about content filtering doing that in other way I think IDS could be helpful for audit some webfiltering rules in special (not at those rules that will generate LOT of FP's) About those rules why do you use all this range 139:445 ? I think [139,445] enough . Other suggestion change $EXTERNAL_NET instead of any from source . I don't have how to test it but is it working with dcerpc2 ? BTW starting another thread with your sigs could be better for discussion =) Regards, On Fri, Feb 5, 2010 at 3:27 PM, Rich Rumble wrote: >> Wouldn't it be better to detect USE of the tool that merely access to >> its web site? Like the MetaSploit update sig or such. We should detect when >> tool are run, not when web sites are accessed. Snort isn't a web filter. >> If you want alerts on web sites, use BlueCoat or similar. > > I agree, these rules are better suited for a proxy blacklist than ET. > I wrote a rule to detect the use of PwDump/FgDump, psexec, rctrlx and > others...I sent these in, but they never got posted (2/9/09)? > Nonetheless they are here now and I think the detection of their use > is where time is better spent. > We all know tools have legit purposes, like PsExec for instance, but > it can be used for evil as well as good, so we monitor it's use. > These work for us, I'm sure they can be improved. > > #PsExec rule for lan > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY PsExec service > created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45 > 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; > reference:url,xinn.org/Snort-psexec.html;classtype:suspicious-filename-detect; > sid:999990; rev:1;) > > #RctrlX rule > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY RemoteControlX, > rctrlx service created"; flow:to_server,established; content:"|5c 00 > 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 > 00 65|"; reference:url,xinn.org/Snort-rctrlx.html;classtype:suspicious-filename-detect; > sid:999991; rev:1;) > > #GsecDump rule > alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT GsecDump, > GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 > 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; > reference:url,xinn.org/Snort-gsecdump.html;classtype:suspicious-filename-detect; > sid:999992; rev:1;) > > -rich > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From richrumble at gmail.com Fri Feb 5 13:48:29 2010 From: richrumble at gmail.com (Rich Rumble) Date: Fri, 5 Feb 2010 13:48:29 -0500 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: <9255886c1002050933l4af19519g4460036e997652c5@mail.gmail.com> References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> <4B6C2BCE.9050806@jonkmans.com> <20100205153603.GA67747@knobbe.us> <9255886c1002050933l4af19519g4460036e997652c5@mail.gmail.com> Message-ID: The range is used for backward compatibility, snort hasn't always supported csv'ing ports. We use the rules to look for the activities to the home_net in particular, it works well for us. I was using the rules as an example at first, then I looked at the ET tar ball again and didn't see the those rules in ET so I hastily created the email :) Next time I'll submit in a more appropriate manner. The other rules I've submitted are similar using the range: sid:2008476 sid:2008445 sid:2008444 -rich From emerging at emergingthreats.net Fri Feb 5 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 5 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100205210013.ADC1245052@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Feb 5 16:00:13 2010 [***] [+++] Added rules: [+++] 2010769 - ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt (emerging-current_events.rules) 2010770 - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt (emerging-web_specific_apps.rules) [///] Modified active rules: [///] 2010071 - ET TROJAN Hiloti/Mufanom Infection Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #we should remove this in a month or so, april 2010 or so -> Added to emerging-sid-msg.map (7): 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (7): 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (21): 2010071 || ET TROJAN Bredolab Infection - checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (21): 2010071 || ET TROJAN Bredolab Infection - checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Feb 6 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 6 Feb 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100206210014.53FAF45052@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 6 16:00:14 2010 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-sid-msg.map.txt (2): 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso From emerging at emergingthreats.net Sat Feb 6 18:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 6 Feb 2010 18:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20100206230014.3D8DC4504F@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 6 18:00:14 2010 [***] [+++] Added rules: [+++] 2010745 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt (emerging-web_specific_apps.rules) 2010746 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt (emerging-web_specific_apps.rules) 2010747 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt (emerging-web_specific_apps.rules) 2010748 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt (emerging-web_specific_apps.rules) 2010749 - ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt (emerging-web_specific_apps.rules) 2010750 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010751 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010752 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010753 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010754 - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010755 - ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt (emerging-dos.rules) 2010756 - ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution (emerging-virus.rules) 2010757 - ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set (emerging-web_client.rules) 2010758 - ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt (emerging-web_client.rules) 2010759 - ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt (emerging-exploit.rules) 2010760 - ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt (emerging-web_client.rules) 2010761 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt (emerging-web_specific_apps.rules) 2010762 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt (emerging-web_specific_apps.rules) 2010763 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt (emerging-web_specific_apps.rules) 2010764 - ET TROJAN Oficla Checkin (2) (emerging-virus.rules) 2010765 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) (emerging-virus.rules) 2010766 - ET POLICY Proxy TRACE Request - inbound (emerging-policy.rules) 2010767 - ET POLICY TRACE Request - outbound (emerging-policy.rules) 2010768 - WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) (emerging-user_agents.rules) 2010769 - ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt (emerging-current_events.rules) 2010770 - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2404056 - ET DROP Known Bot C&C Server Traffic TCP (group 29) (emerging-botcc.rules) 2404057 - ET DROP Known Bot C&C Server Traffic UDP (group 29) (emerging-botcc.rules) 2405056 - ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405057 - ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [///] Modified active rules: [///] 2001996 - ET USER_AGENTS UCMore Spyware Activity User Agent String (emerging-user_agents.rules) 2008324 - ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin (emerging-virus.rules) 2008325 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (emerging-virus.rules) 2009295 - ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) (emerging-user_agents.rules) 2010071 - ET TROJAN Hiloti/Mufanom Infection Checkin (emerging-virus.rules) 2010148 - ET CURRENT_EVENTS DHL Spam Inbound (emerging-current_events.rules) 2010381 - ET TROJAN Syrutrk/Gibon/Bredolab Checkin (emerging-virus.rules) 2010458 - ET TROJAN Dropper Checkin - Likely Yahlover Worm (emerging-virus.rules) 2010743 - ET TROJAN Oficla Checkin (1) (emerging-virus.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2402001 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2403001 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic TCP (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic UDP (group 1) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic TCP (group 2) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic UDP (group 2) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic TCP (group 3) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic UDP (group 3) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic TCP (group 4) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic UDP (group 4) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic TCP (group 5) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic UDP (group 5) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic TCP (group 6) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic UDP (group 6) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic TCP (group 7) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic UDP (group 7) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic TCP (group 8) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic UDP (group 8) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic TCP (group 9) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic UDP (group 9) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic TCP (group 10) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic UDP (group 10) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic TCP (group 11) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic UDP (group 11) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic TCP (group 12) (emerging-botcc.rules) 2404023 - ET DROP Known Bot C&C Server Traffic UDP (group 12) (emerging-botcc.rules) 2404024 - ET DROP Known Bot C&C Server Traffic TCP (group 13) (emerging-botcc.rules) 2404025 - ET DROP Known Bot C&C Server Traffic UDP (group 13) (emerging-botcc.rules) 2404026 - ET DROP Known Bot C&C Server Traffic TCP (group 14) (emerging-botcc.rules) 2404027 - ET DROP Known Bot C&C Server Traffic UDP (group 14) (emerging-botcc.rules) 2404028 - ET DROP Known Bot C&C Server Traffic TCP (group 15) (emerging-botcc.rules) 2404029 - ET DROP Known Bot C&C Server Traffic UDP (group 15) (emerging-botcc.rules) 2404030 - ET DROP Known Bot C&C Server Traffic TCP (group 16) (emerging-botcc.rules) 2404031 - ET DROP Known Bot C&C Server Traffic UDP (group 16) (emerging-botcc.rules) 2404032 - ET DROP Known Bot C&C Server Traffic TCP (group 17) (emerging-botcc.rules) 2404033 - ET DROP Known Bot C&C Server Traffic UDP (group 17) (emerging-botcc.rules) 2404034 - ET DROP Known Bot C&C Server Traffic TCP (group 18) (emerging-botcc.rules) 2404035 - ET DROP Known Bot C&C Server Traffic UDP (group 18) (emerging-botcc.rules) 2404036 - ET DROP Known Bot C&C Server Traffic TCP (group 19) (emerging-botcc.rules) 2404037 - ET DROP Known Bot C&C Server Traffic UDP (group 19) (emerging-botcc.rules) 2404038 - ET DROP Known Bot C&C Server Traffic TCP (group 20) (emerging-botcc.rules) 2404039 - ET DROP Known Bot C&C Server Traffic UDP (group 20) (emerging-botcc.rules) 2404040 - ET DROP Known Bot C&C Server Traffic TCP (group 21) (emerging-botcc.rules) 2404041 - ET DROP Known Bot C&C Server Traffic UDP (group 21) (emerging-botcc.rules) 2404042 - ET DROP Known Bot C&C Server Traffic TCP (group 22) (emerging-botcc.rules) 2404043 - ET DROP Known Bot C&C Server Traffic UDP (group 22) (emerging-botcc.rules) 2404044 - ET DROP Known Bot C&C Server Traffic TCP (group 23) (emerging-botcc.rules) 2404045 - ET DROP Known Bot C&C Server Traffic UDP (group 23) (emerging-botcc.rules) 2404046 - ET DROP Known Bot C&C Server Traffic TCP (group 24) (emerging-botcc.rules) 2404047 - ET DROP Known Bot C&C Server Traffic UDP (group 24) (emerging-botcc.rules) 2404048 - ET DROP Known Bot C&C Server Traffic TCP (group 25) (emerging-botcc.rules) 2404049 - ET DROP Known Bot C&C Server Traffic UDP (group 25) (emerging-botcc.rules) 2404050 - ET DROP Known Bot C&C Server Traffic TCP (group 26) (emerging-botcc.rules) 2404051 - ET DROP Known Bot C&C Server Traffic UDP (group 26) (emerging-botcc.rules) 2404052 - ET DROP Known Bot C&C Server Traffic TCP (group 27) (emerging-botcc.rules) 2404053 - ET DROP Known Bot C&C Server Traffic UDP (group 27) (emerging-botcc.rules) 2404054 - ET DROP Known Bot C&C Server Traffic TCP (group 28) (emerging-botcc.rules) 2404055 - ET DROP Known Bot C&C Server Traffic UDP (group 28) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405023 - ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405024 - ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405025 - ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405026 - ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405027 - ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405028 - ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405029 - ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405030 - ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405031 - ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405032 - ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405033 - ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405034 - ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405035 - ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405036 - ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405037 - ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405038 - ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405039 - ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405040 - ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405041 - ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405042 - ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405043 - ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405044 - ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405045 - ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405046 - ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405047 - ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405048 - ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405049 - ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405050 - ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405051 - ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405052 - ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405053 - ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405054 - ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405055 - ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [---] Removed rules: [---] 2008337 - ET TROJAN Win32.Small.dvs or Related DDOS Checkin (emerging-virus.rules) 2009707 - WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack (emerging-web_specific_apps.rules) 2009708 - WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack (emerging-web_specific_apps.rules) 2009763 - ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution (emerging-web_client.rules) 2009786 - ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal (emerging-web_specific_apps.rules) 2010671 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #we should remove this in a month or so, april 2010 or so -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1807 # Generated 2010-02-06 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1807 # Generated 2010-02-06 00:03:02 EDT -> Added to emerging-exploit.rules (1): #by kevin ross -> Added to emerging-policy.rules (2): #by Markus Manzke # HTTP-TRACE Request -> Added to emerging-sid-msg.map (42): 2008324 || ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2008325 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010381 || ET TROJAN Syrutrk/Gibon/Bredolab Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010381 || url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 || url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010458 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010745 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010746 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010747 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010748 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010749 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010750 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010751 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010752 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010753 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010754 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_DB2 || url,doc.emergingthreats.net/2010755 || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2010756 || ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Sasfis || url,doc.emergingthreats.net/2010756 || url,www.fortiguard.com/analysis/sasfisanalysis.html 2010757 || ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010757 2010758 || ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010758 || url,www.securityfocus.com/bid/37832/info 2010759 || ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Xerox || url,doc.emergingthreats.net/2010759 || url,www.securityfocus.com/bid/38010 2010760 || ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gracenote || url,doc.emergingthreats.net/2010760 || url,www.securityfocus.com/bid/37834 2010761 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010761 || url,www.securityfocus.com/bid/37843 2010762 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010762 || url,www.securityfocus.com/bid/37843 2010763 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010763 || url,www.securityfocus.com/bid/37843 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2500844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (42): 2008324 || ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2008325 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010381 || ET TROJAN Syrutrk/Gibon/Bredolab Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010381 || url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 || url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010458 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010745 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010745 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010746 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010746 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010747 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010747 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010748 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010748 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010749 || ET WEB_SPECIFIC_APPS SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Softartisans || url,doc.emergingthreats.net/2010749 || url,osvdb.org/47794 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,www.kb.cert.org/vuls/id/914785 2010750 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010750 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010751 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010751 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010752 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010752 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010753 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010753 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010754 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010754 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || bugtraq,37146 2010755 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_DB2 || url,doc.emergingthreats.net/2010755 || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,www.securityfocus.com/bid/38018 2010756 || ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Sasfis || url,doc.emergingthreats.net/2010756 || url,www.fortiguard.com/analysis/sasfisanalysis.html 2010757 || ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010757 2010758 || ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_VLC || url,doc.emergingthreats.net/2010758 || url,www.securityfocus.com/bid/37832/info 2010759 || ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Xerox || url,doc.emergingthreats.net/2010759 || url,www.securityfocus.com/bid/38010 2010760 || ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Gracenote || url,doc.emergingthreats.net/2010760 || url,www.securityfocus.com/bid/37834 2010761 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010761 || url,www.securityfocus.com/bid/37843 2010762 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010762 || url,www.securityfocus.com/bid/37843 2010763 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010763 || url,www.securityfocus.com/bid/37843 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2500844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-user_agents.rules (2): #by markus manzke # Proxy-Scanner - 2 -> Added to emerging-virus.rules (2): #by evilghost and darren spruell and mike cox and crew #updates by darren spruell [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1800 # Generated 2010-01-30 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1800 # Generated 2010-01-30 00:03:02 EDT -> Removed from emerging-sid-msg.map (12): 2008324 || ET TROJAN Socks/Sality manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 2008325 || ET TROJAN Socks/Sality HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 2008337 || ET TROJAN Win32.Small.dvs or Related DDOS Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs || url,doc.emergingthreats.net/2008337 2009707 || WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009707 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009708 || WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009708 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009763 || ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EDraw || url,doc.emergingthreats.net/2009763 || url,archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html || url,secunia.com/advisories/35509/ 2009786 || ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/ 2010071 || ET TROJAN Bredolab Infection - checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2010458 2010671 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010671 || url,www.securityfocus.com/bid/37802/info 2010743 || ET TROJAN Oficla Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c -> Removed from emerging-sid-msg.map.txt (12): 2008324 || ET TROJAN Socks/Sality manda.php Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008324 2008325 || ET TROJAN Socks/Sality HTTP Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2008325 2008337 || ET TROJAN Win32.Small.dvs or Related DDOS Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs || url,doc.emergingthreats.net/2008337 2009707 || WEB_SPECIFIC Possible XOOPS Viewpmesg.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009707 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009708 || WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/XOOPS || url,doc.emergingthreats.net/2009708 || url,securitytracker.com/alerts/2009/Jul/1022641.html 2009763 || ET WEB_CLIENT ACTIVEX EDraw PDF Viewer ActiveX Control Remote code execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_EDraw || url,doc.emergingthreats.net/2009763 || url,archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html || url,secunia.com/advisories/35509/ 2009786 || ET WEB_SPECIFIC_APPS Bitweaver boards_rss.php version Parameter Directory Traversal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bitweaver || url,doc.emergingthreats.net/2009786 || url,milw0rm.com/exploits/8659 || url,vupen.com/english/advisories/2009/1285 || url,secunia.com/advisories/35057/ 2010071 || ET TROJAN Bredolab Infection - checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General || url,doc.emergingthreats.net/2010458 2010671 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Zenoss || url,doc.emergingthreats.net/2010671 || url,www.securityfocus.com/bid/37802/info 2010743 || ET TROJAN Oficla Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c -> Removed from emerging-virus.rules (1): #by evilghost and darren spruell From frank at knobbe.us Sun Feb 7 18:43:15 2010 From: frank at knobbe.us (Frank Knobbe) Date: Sun, 07 Feb 2010 17:43:15 -0600 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: <4B69EC1D.5070205@jonkmans.com> References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> <4B69EC1D.5070205@jonkmans.com> Message-ID: <1265586195.25409.47.camel@localhost> On Wed, 2010-02-03 at 16:35 -0500, Matt Jonkman wrote: > I agree. I don't think we have a good set of classifications for that in > the current config. It'd be nice to have more detail on malware. > > Maybe we should propose a few new categories? > > Possibly add: > infected-host > malware-download > exploit-download I think malware-download and exploit-download is a bit redundant. infected-host is the same as trojan-activity. I'd rather add something like possibly-trojan-activity to differentiate from trojan-activity (or you-can-be-damn-sure-its-trojan-activity). Maybe that's what you meant with malware-download, but it's not indication that's it malware either. It's malware when it's confirmed :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100207/fe19af2b/attachment.bin From frank at knobbe.us Sun Feb 7 18:46:27 2010 From: frank at knobbe.us (Frank Knobbe) Date: Sun, 07 Feb 2010 17:46:27 -0600 Subject: [Emerging-Sigs] 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners In-Reply-To: <4B6AF4F7.1020407@jonkmans.com> References: <4B6AEAC3.4010809@mare-system.de> <4B6AF4F7.1020407@jonkmans.com> Message-ID: <1265586387.25409.48.camel@localhost> On Thu, 2010-02-04 at 11:25 -0500, Matt Jonkman wrote: > > # Proxy-Scanner - 2 > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"|0d 0a|User-Agent|3a| webcollage/1.135a"; nocase; classtype:bad-unknown; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; sid:11220062; rev:1;) Wow.. I thought we had this already :) May I suggest dropping the 1.135a? Or are you going to update the sig on every version increase of the scannerbot? :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100207/8aa24826/attachment.bin From frank at knobbe.us Sun Feb 7 19:00:12 2010 From: frank at knobbe.us (Frank Knobbe) Date: Sun, 07 Feb 2010 18:00:12 -0600 Subject: [Emerging-Sigs] 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners In-Reply-To: <4B6AF4F7.1020407@jonkmans.com> References: <4B6AEAC3.4010809@mare-system.de> <4B6AF4F7.1020407@jonkmans.com> Message-ID: <1265587212.25409.50.camel@localhost> On Thu, 2010-02-04 at 11:25 -0500, Matt Jonkman wrote: > > # Proxy-Scanner - 1 > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (proxyjudge) "; flow:established,to_server; content:"GET http\://proxyjudge1.proxyfire.net/fastenv"; depth:46; classtype:bad-unknown; sid:11220061; rev:1;) > > > This is just one of thousands of proxy judges. Is there something > special about this one? I don't see anything special. I also don't think we need a sig for every damn scannner out there (wantsfly, etc), when the existing Policy sig catches all of them quite nicely. -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100207/7a8a26f6/attachment.bin From mail at mare-system.de Mon Feb 8 03:03:51 2010 From: mail at mare-system.de (mex) Date: Mon, 08 Feb 2010 09:03:51 +0100 Subject: [Emerging-Sigs] 2 Policy-Sigs and 2 Sigs for Open-Proxy Scanners In-Reply-To: <1265586387.25409.48.camel@localhost> References: <4B6AEAC3.4010809@mare-system.de> <4B6AF4F7.1020407@jonkmans.com> <1265586387.25409.48.camel@localhost> Message-ID: <4B6FC567.7010305@mare-system.de> while webcollage seems to be a legit ua http://www.useragentstring.com/pages/webcollage/ webcollage/1.135a is not: http://www.botsvsbrowsers.com/details/214715/index.html mex > > May I suggest dropping the 1.135a? Or are you going to update the sig on > every version increase of the scannerbot? :) > > -Frank > From mail at mare-system.de Mon Feb 8 03:07:22 2010 From: mail at mare-system.de (mex) Date: Mon, 08 Feb 2010 09:07:22 +0100 Subject: [Emerging-Sigs] [Fwd: Re: [Snort-devel] Bug in 2.8.4.1?] Message-ID: <4B6FC63A.2090204@mare-system.de> id din't knew that, so maybe this might be interesting for someone on the list, since this (bug|feature) might lead to non-working sensors, while testing was fine. -------- Original Message -------- Subject: Re: [Snort-devel] Bug in 2.8.4.1? Date: Fri, 05 Feb 2010 15:03:03 -0500 From: Steven Sturges To: mex CC: snort-devel at lists.sourceforge.net References: <4B6C5E88.4060108 at mare-system.de> While this is a subtle sytax error, the reason it is not specifically noted with the -T is a conscious one. When reading a conf and parsing with -T, Snort allow for Rules to not have SIDs specified, to check the validity of the rule's detection options (contents, byte_test, pcre, etc). That requirement is enforced when the -T is not present with more recent versions of Snort that require all rules must have a unique SID. Earlier versions allow this. To maintain backwards compatibility with 'Test Mode', Snort allows this with the -T, but generates a run-time error without it. Cheers. -steve mex wrote: > hi, > > i was playing around with snort 2.8.4.1 and > discovered (probably) a bug: > > when misspelling a rule like the following > (watch the missing ; after the reference) > > alert .... ( ... reference,url:www.some.url sid:12345678;) > > the command snort -T -c /etc/snort/snort.conf did not > show any errors, while startings snort via init-script > (that calls /usr/sbin/snort -D -c /etc/snort/snort.conf) > lead to a non-starting snort, due to this error. > > > mex From jason.weir at nhrs.org Mon Feb 8 06:00:52 2010 From: jason.weir at nhrs.org (jason.weir@nhrs.org) Date: 8 Feb 2010 06:00:52 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update Message-ID: MalewareURL.com Data Contains 96690 Entries - Here are the top 30 (28410) # Signature URI Count Description ---------------------------------------------------------------------------------------- 1 2010716 wywg/chd/slkopwt.exe 947 trojan onlinegames 2 2010716 wywg/cqwz/sqkiwg.exe 947 trojan onlinegames 3 2010716 wywg/mxd/mioslwer.exe 947 trojan onlinegames 4 2010716 wywg/my/myxyjgj.exe 947 trojan onlinegames 5 2010716 wywg/mssj/constant.exe 947 trojan onlinegames 6 2010716 wywg/chd/lpspwt67.exe 947 trojan onlinegames 7 2010716 wywg/txer/sitoswd.exe 947 trojan onlinegames 8 2010716 wywg/dxcys/ordinary.exe 947 trojan onlinegames 9 2010716 wywg/txer/downower.exe 947 trojan onlinegames 10 2010716 wywg/dh2/barley.exe 947 trojan onlinegames 11 2010716 wywg/wmgj/p9pj21.exe 947 trojan onlinegames 12 2010716 wywg/mssj/stress.exe 947 trojan onlinegames 13 2010716 wywg/jxqy3/jxkdk.exe 947 trojan onlinegames 14 2010716 wywg/wlwz/ffwg1022.exe 947 trojan onlinegames 15 2010716 wywg/cqwz/mfwgsw.exe 947 trojan onlinegames 16 2010716 wywg/mssj/brittle.exe 947 trojan onlinegames 17 2010716 wywg/rxcq/permin.exe 947 trojan onlinegames 18 2010716 wywg/dxcys/Wilhelm.exe 947 trojan onlinegames 19 2010716 wywg/rxcq/market.exe 947 trojan onlinegames 20 2010716 wywg/zx/zwwghg.exe 947 trojan onlinegames 21 2010716 wywg/mxd/kpske3.exe 947 trojan onlinegames 22 2010716 wywg/chd/opaslf.exe 947 trojan onlinegames 23 2010716 wywg/yhzt/yhztzxieiai.exe 947 trojan onlinegames 24 2010716 wywg/dxcys/peasant.exe 947 trojan onlinegames 25 2010716 wywg/rxcq/geoloal.exe 947 trojan onlinegames 26 2010716 wywg/wmgj/wmdtgjg.exe 947 trojan onlinegames 27 2010716 wywg/hx2/handfu.exe 947 trojan onlinegames 28 2010716 wywg/qqhx/abdomen.exe 947 trojan onlinegames 29 2010716 wywg/cqsj/allowed.exe 947 trojan onlinegames 30 2010716 wywg/zx/dtgjwi2.exe 947 trojan onlinegames From evilghost at packetmail.net Mon Feb 8 09:02:18 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 8 Feb 2010 08:02:18 -0600 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: References: Message-ID: <4B70196A.4020404@packetmail.net> Jason, would it be possible to show the top 30 entries that we do not have a signature for? Even though count may be low it still may be worthwhile to craft or look at crafting a signature. Thoughts? -evilghost jason.weir at nhrs.org wrote: > MalewareURL.com Data Contains 96690 Entries - Here are the top 30 (28410) > > # Signature URI Count Description > ---------------------------------------------------------------------------------------- > > 1 2010716 wywg/chd/slkopwt.exe 947 trojan onlinegames > 2 2010716 wywg/cqwz/sqkiwg.exe 947 trojan onlinegames > 3 2010716 wywg/mxd/mioslwer.exe 947 trojan onlinegames > 4 2010716 wywg/my/myxyjgj.exe 947 trojan onlinegames > 5 2010716 wywg/mssj/constant.exe 947 trojan onlinegames > 6 2010716 wywg/chd/lpspwt67.exe 947 trojan onlinegames > 7 2010716 wywg/txer/sitoswd.exe 947 trojan onlinegames > 8 2010716 wywg/dxcys/ordinary.exe 947 trojan onlinegames > 9 2010716 wywg/txer/downower.exe 947 trojan onlinegames > 10 2010716 wywg/dh2/barley.exe 947 trojan onlinegames > 11 2010716 wywg/wmgj/p9pj21.exe 947 trojan onlinegames > 12 2010716 wywg/mssj/stress.exe 947 trojan onlinegames > 13 2010716 wywg/jxqy3/jxkdk.exe 947 trojan onlinegames > 14 2010716 wywg/wlwz/ffwg1022.exe 947 trojan onlinegames > 15 2010716 wywg/cqwz/mfwgsw.exe 947 trojan onlinegames > 16 2010716 wywg/mssj/brittle.exe 947 trojan onlinegames > 17 2010716 wywg/rxcq/permin.exe 947 trojan onlinegames > 18 2010716 wywg/dxcys/Wilhelm.exe 947 trojan onlinegames > 19 2010716 wywg/rxcq/market.exe 947 trojan onlinegames > 20 2010716 wywg/zx/zwwghg.exe 947 trojan onlinegames > 21 2010716 wywg/mxd/kpske3.exe 947 trojan onlinegames > 22 2010716 wywg/chd/opaslf.exe 947 trojan onlinegames > 23 2010716 wywg/yhzt/yhztzxieiai.exe 947 trojan onlinegames > 24 2010716 wywg/dxcys/peasant.exe 947 trojan onlinegames > 25 2010716 wywg/rxcq/geoloal.exe 947 trojan onlinegames > 26 2010716 wywg/wmgj/wmdtgjg.exe 947 trojan onlinegames > 27 2010716 wywg/hx2/handfu.exe 947 trojan onlinegames > 28 2010716 wywg/qqhx/abdomen.exe 947 trojan onlinegames > 29 2010716 wywg/cqsj/allowed.exe 947 trojan onlinegames > 30 2010716 wywg/zx/dtgjwi2.exe 947 trojan onlinegames > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From jason.weir at nhrs.org Mon Feb 8 09:11:46 2010 From: jason.weir at nhrs.org (Weir, Jason) Date: Mon, 8 Feb 2010 09:11:46 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update In-Reply-To: <4B70196A.4020404@packetmail.net> Message-ID: Gimme a few - I'll send the top 75. -J -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of evilghost at packetmail.net Sent: Monday, February 08, 2010 9:02 AM Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update Jason, would it be possible to show the top 30 entries that we do not have a signature for? Even though count may be low it still may be worthwhile to craft or look at crafting a signature. Thoughts? -evilghost jason.weir at nhrs.org wrote: > MalewareURL.com Data Contains 96690 Entries - Here are the top 30 (28410) > > # Signature URI Count Description > ------------------------------------------------------------------------ ---------------- > > 1 2010716 wywg/chd/slkopwt.exe 947 trojan onlinegames > 2 2010716 wywg/cqwz/sqkiwg.exe 947 trojan onlinegames > 3 2010716 wywg/mxd/mioslwer.exe 947 trojan onlinegames > 4 2010716 wywg/my/myxyjgj.exe 947 trojan onlinegames > 5 2010716 wywg/mssj/constant.exe 947 trojan onlinegames > 6 2010716 wywg/chd/lpspwt67.exe 947 trojan onlinegames > 7 2010716 wywg/txer/sitoswd.exe 947 trojan onlinegames > 8 2010716 wywg/dxcys/ordinary.exe 947 trojan onlinegames > 9 2010716 wywg/txer/downower.exe 947 trojan onlinegames > 10 2010716 wywg/dh2/barley.exe 947 trojan onlinegames > 11 2010716 wywg/wmgj/p9pj21.exe 947 trojan onlinegames > 12 2010716 wywg/mssj/stress.exe 947 trojan onlinegames > 13 2010716 wywg/jxqy3/jxkdk.exe 947 trojan onlinegames > 14 2010716 wywg/wlwz/ffwg1022.exe 947 trojan onlinegames > 15 2010716 wywg/cqwz/mfwgsw.exe 947 trojan onlinegames > 16 2010716 wywg/mssj/brittle.exe 947 trojan onlinegames > 17 2010716 wywg/rxcq/permin.exe 947 trojan onlinegames > 18 2010716 wywg/dxcys/Wilhelm.exe 947 trojan onlinegames > 19 2010716 wywg/rxcq/market.exe 947 trojan onlinegames > 20 2010716 wywg/zx/zwwghg.exe 947 trojan onlinegames > 21 2010716 wywg/mxd/kpske3.exe 947 trojan onlinegames > 22 2010716 wywg/chd/opaslf.exe 947 trojan onlinegames > 23 2010716 wywg/yhzt/yhztzxieiai.exe 947 trojan onlinegames > 24 2010716 wywg/dxcys/peasant.exe 947 trojan onlinegames > 25 2010716 wywg/rxcq/geoloal.exe 947 trojan onlinegames > 26 2010716 wywg/wmgj/wmdtgjg.exe 947 trojan onlinegames > 27 2010716 wywg/hx2/handfu.exe 947 trojan onlinegames > 28 2010716 wywg/qqhx/abdomen.exe 947 trojan onlinegames > 29 2010716 wywg/cqsj/allowed.exe 947 trojan onlinegames > 30 2010716 wywg/zx/dtgjwi2.exe 947 trojan onlinegames _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From jason.weir at nhrs.org Mon Feb 8 09:13:39 2010 From: jason.weir at nhrs.org (jason.weir@nhrs.org) Date: 8 Feb 2010 09:13:39 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 75 Update Message-ID: MalewareURL.com Data Contains 96690 Entries - Here are the top 75 (42034) # Signature URI Count Description ---------------------------------------------------------------------------------------- 1 2010716 wywg/chd/slkopwt.exe 947 trojan onlinegames 2 2010716 wywg/cqwz/sqkiwg.exe 947 trojan onlinegames 3 2010716 wywg/mxd/mioslwer.exe 947 trojan onlinegames 4 2010716 wywg/my/myxyjgj.exe 947 trojan onlinegames 5 2010716 wywg/mssj/constant.exe 947 trojan onlinegames 6 2010716 wywg/chd/lpspwt67.exe 947 trojan onlinegames 7 2010716 wywg/txer/sitoswd.exe 947 trojan onlinegames 8 2010716 wywg/dxcys/ordinary.exe 947 trojan onlinegames 9 2010716 wywg/txer/downower.exe 947 trojan onlinegames 10 2010716 wywg/dh2/barley.exe 947 trojan onlinegames 11 2010716 wywg/wmgj/p9pj21.exe 947 trojan onlinegames 12 2010716 wywg/mssj/stress.exe 947 trojan onlinegames 13 2010716 wywg/jxqy3/jxkdk.exe 947 trojan onlinegames 14 2010716 wywg/wlwz/ffwg1022.exe 947 trojan onlinegames 15 2010716 wywg/cqwz/mfwgsw.exe 947 trojan onlinegames 16 2010716 wywg/mssj/brittle.exe 947 trojan onlinegames 17 2010716 wywg/rxcq/permin.exe 947 trojan onlinegames 18 2010716 wywg/dxcys/Wilhelm.exe 947 trojan onlinegames 19 2010716 wywg/rxcq/market.exe 947 trojan onlinegames 20 2010716 wywg/zx/zwwghg.exe 947 trojan onlinegames 21 2010716 wywg/mxd/kpske3.exe 947 trojan onlinegames 22 2010716 wywg/chd/opaslf.exe 947 trojan onlinegames 23 2010716 wywg/yhzt/yhztzxieiai.exe 947 trojan onlinegames 24 2010716 wywg/dxcys/peasant.exe 947 trojan onlinegames 25 2010716 wywg/rxcq/geoloal.exe 947 trojan onlinegames 26 2010716 wywg/wmgj/wmdtgjg.exe 947 trojan onlinegames 27 2010716 wywg/hx2/handfu.exe 947 trojan onlinegames 28 2010716 wywg/qqhx/abdomen.exe 947 trojan onlinegames 29 2010716 wywg/cqsj/allowed.exe 947 trojan onlinegames 30 2010716 wywg/zx/dtgjwi2.exe 947 trojan onlinegames 31 2010716 wywg/wlwz/wlmzjsg.exe 947 trojan onlinegames 32 none cache/readme.pdf 941 exploits / redirects to exploits 33 none index.php 919 exploits / redirects to exploits 34 2010685 download/Setup_2005.exe 903 fast flux rogue antivirus 35 2010222 ts/in.cgi?pepsi18 895 exploits / redirects to exploits 36 none o.js 744 redirects to rogue antivirus 37 none index.php 612 exploits 38 2010465 download/install.php 584 rogue antivirus 39 none downloader.php 421 fraudtool roguesecurity 40 2010465 download/install.php 409 rogue antivirus downloader / internetantiviruspro 41 none downloader.php 376 fraudtool.win32.roguesecurity 42 none get.php 280 trojan privacycenter 43 none cache/flash.swf 276 exploits / redirects to exploits 44 none in6.php 274 leads to brebolab exploits 45 none load.php 257 exploits / trojan 46 none download.php 246 rogue antivirus 47 2010440 flash-HQ-plugin.40000.exe 245 fast flux trojan 48 none cache/readme.pdf 227 exploits / trojan 49 none img/index.html 225 redirects to trojan 50 2010685 download/Setup_2005.exe 223 fast flux rogue antivirus (personalsecurity) 51 none cgi-bin/dep/z002106201r0409R8b7f9ba1Xdab766a6Y91e4f74eZ0100f08030dP000301080 217 trojan tdss 52 none cache/flash.swf 207 exploits / trojan 53 none downloader.php 187 trojan winwebsec 54 2010050 download/Antivirus_21.exe 165 rogue antivirus / personal antivirus - fakexpa 55 2010684 download/IAInstall.exe 155 rogue antivirus downloader / internetantiviruspro 56 2010452 installer.1.exe 148 rogue antivirus downloader / fakeplus 57 none e/stat.php 143 eleonore exploit pack / trojan zbot 58 2010221 3/installer/Installer.exe 139 trojan fakerean 59 2010221 1/installer/Installer.exe 139 trojan fakerean 60 2010221 2/installer/Installer.exe 139 trojan fakerean 61 none ssp/js/common.js 138 exploit kit / trojan oficla 62 2010532 ssp/files/annonce.pdf 138 exploit kit / trojan oficla 63 2010533 ssp/files/sdfg.jar 138 exploit kit / trojan oficla 64 none ssp/admin.php 138 exploit kit / trojan oficla 65 none ssp/load.exe 138 exploit kit / trojan oficla 66 none ssp/index.php 138 exploit kit / trojan oficla 67 2010534 ssp/loadjavad.php 138 exploit kit / trojan oficla 68 2010464 download.php?id=2013 134 fast flux rogue antivirus 69 none e/index.php 129 eleonore exploit pack / trojan zbot 70 none e/load.php?spl=mdac 129 eleonore exploit pack / trojan zbot 71 none e/pdf.php 128 eleonore exploit pack / trojan zbot 72 none admin.php 126 exploit kit 73 none download.php?id=2012 126 fast flux rogue antivirus 74 none js.php 125 exploit kit 75 2010453 installer_1.exe 118 rogue antivirus downloader / fakeplus From jonkman at jonkmans.com Mon Feb 8 09:41:41 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 09:41:41 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Feb 05th, 2010 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2950@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2950@webmail.latis.com> Message-ID: <4B7022A5.3040406@jonkmans.com> Posted! Thanks as always! Matt On 2/5/10 5:07 AM, signatures wrote: > Hi Matt, > > > > Please find 10 New Signatures below: > > > > 1. *WEB-PHP asaher pro view_messages.php row_y5_site_configuration > Remote File Inclusion Attempt * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro view_messages.php row_y5_site_configuration Remote File > Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/view_messages.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9939; rev:1;) > > > > 2. *WEB-PHP asaher pro view_blog_comments.php Remote File > Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro view_blog_comments.php Remote File Inclusion Attempt"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/view_blog_comments.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9940; rev:1;) > > > > 3. *WEB-PHP asaher pro view_blog_archives.php Remote File > Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro view_blog_archives.php Remote File Inclusion Attempt"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/view_blog_archives.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9941; rev:1;) > > > > 4. *WEB-PHP asaher pro add_comments.php row_y5_site_configuration > Remote File Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro add_comments.php row_y5_site_configuration Remote File > Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/add_comments.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9942; rev:1;) > > > > 5. *WEB-PHP asaher pro downloads.php row_y5_site_configuration > Remote File Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro downloads.php row_y5_site_configuration Remote File Inclusion > Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/downloads.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9943; rev:1;) > > > > 6. *WEB-PHP asaher pro emailsender.php row_y5_site_configuration > Remote File Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro emailsender.php row_y5_site_configuration Remote File > Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/emailsender.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9944; rev:1;) > > > > 7. *WEB-PHP asaher pro left_menu.php row_y5_site_configuration > Remote File Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion > Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/left_menu.php?"; nocase; > uricontent:"row_y5_site_configuration[templates_folder]="; nocase; > pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; > sid:9945; rev:1;) > > > > 8. *WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer > Overflow Attempt -1* > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; > flow:established,to_client; content:"clsid"; nocase; > content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; distance:0; > content:"ProgColor"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; > classtype:attempted-user; reference:url,secunia.com/advisories/24692/; > reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; > reference:url,www.kb.cert.org/vuls/id/589097; sid:9701; rev:1;) > > > > 9. *WEB-ATTACKS HP Mercury Quality Center ActiveX ProgColor Buffer > Overflow Attempt -2* > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; > flow:established,to_client; content:"clsid"; nocase; > content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; distance:0; > content:"ProgColor"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; > classtype:attempted-user; reference:url,secunia.com/advisories/24692/; > reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; > reference:url,www.kb.cert.org/vuls/id/589097; sid:9702; rev:1;) > > > > 10. *WEB-PHP Joomla mediaslide component viewer.php path Local File > Inclusion Attempt* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla mediaslide component viewer.php path Local File Inclusion > Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/components/com_mediaslide/viewer.php?"; nocase; > uricontent:"path="; nocase; content:"../"; depth:200; > classtype:web-application-attack; reference:bugtraq,37440; sid:9902; rev:1;) > > > > Looking forward for your inputs, if any? > > > Thanks & Regards, > StillSecure > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 09:46:10 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 09:46:10 -0500 Subject: [Emerging-Sigs] SIG: Updated version IE Dynamic Object Tag Information Disclosure CVE-2010-0255 In-Reply-To: References: Message-ID: <4B7023B2.9070007@jonkmans.com> Commited to test, thanks Kevin! Matt On 2/4/10 8:48 AM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag > Information Disclosure Attempt"; flow:established,to_client; > content:"file|3A|//127.0.0.1 "; nocase; > content:"text/html"; nocase; within:100; classtype:attempted-user; > reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 > ; > reference:url,www.microsoft.com/technet/security/advisory/980088.mspx > ; > reference:cve,2010-0255; sid:1320001; rev:1;) > > ok I have simplified the rule to the loopback access and the text/html > rendering. I have changed the classtype to attempted-user and added a > reference. I think this should be better. If you want I have also > updated the sig below but I am unsure how exploit specific that is, the > top may be more reliable. > > Regards, Kev > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag > Information Disclosure Attempt"; flow:established,to_client; > content:"document.createElement"; nocase; content:"file|3A|//127.0.0.1 > "; nocase; within:100; content:"text/html"; nocase; > distance:0; content:"document.body.appendChild"; > nocase;classtype:attempted-user; > reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 > ; > reference:url,www.microsoft.com/technet/security/advisory/980088.mspx > ; > reference:cve,2010-0255; sid:1320001; rev:1;) > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 09:53:35 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 09:53:35 -0500 Subject: [Emerging-Sigs] Proposed Sec Tool download rules In-Reply-To: References: <4B6AF283.8000706@jonkmans.com> <9255886c1002040936o5ee5933fmdc077fa0c1a3f853@mail.gmail.com> <4B6C2BCE.9050806@jonkmans.com> <20100205153603.GA67747@knobbe.us> Message-ID: <4B70256F.8000306@jonkmans.com> Sorry I didn't post those Rich. Thought I had, but they are now. Matt On 2/5/10 12:27 PM, Rich Rumble wrote: >> Wouldn't it be better to detect USE of the tool that merely access to >> its web site? Like the MetaSploit update sig or such. We should detect when >> tool are run, not when web sites are accessed. Snort isn't a web filter. >> If you want alerts on web sites, use BlueCoat or similar. > > I agree, these rules are better suited for a proxy blacklist than ET. > I wrote a rule to detect the use of PwDump/FgDump, psexec, rctrlx and > others...I sent these in, but they never got posted (2/9/09)? > Nonetheless they are here now and I think the detection of their use > is where time is better spent. > We all know tools have legit purposes, like PsExec for instance, but > it can be used for evil as well as good, so we monitor it's use. > These work for us, I'm sure they can be improved. > > #PsExec rule for lan > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY PsExec service > created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45 > 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; > reference:url,xinn.org/Snort-psexec.html;classtype:suspicious-filename-detect; > sid:999990; rev:1;) > > #RctrlX rule > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY RemoteControlX, > rctrlx service created"; flow:to_server,established; content:"|5c 00 > 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 > 00 65|"; reference:url,xinn.org/Snort-rctrlx.html;classtype:suspicious-filename-detect; > sid:999991; rev:1;) > > #GsecDump rule > alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT GsecDump, > GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 > 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; > reference:url,xinn.org/Snort-gsecdump.html;classtype:suspicious-filename-detect; > sid:999992; rev:1;) > > -rich > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 10:01:08 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 10:01:08 -0500 Subject: [Emerging-Sigs] Propose Sigs: Facebook Chat In-Reply-To: <9255886c1002050707n6627341cvefe1184e1e2f4258@mail.gmail.com> References: <9255886c1002050707n6627341cvefe1184e1e2f4258@mail.gmail.com> Message-ID: <4B702734.3020601@jonkmans.com> Thanks Rodrigo. I'm surprised none of us has thought to do these up before. Posting them now, thanks! Matt On 2/5/10 10:07 AM, Rodrigo Montoro(Sp0oKeR) wrote: > Just sniffed some traffic at facebook chat. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook > Chat (send message)";flow:established,to_server;content:"POST > ";depth:5;uricontent:"/ajax/chat/send.php";content:"facebook.com";sid:XXXX;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook > Chat (buddy list)";flow:established,to_server;content:"POST > ";depth:5;uricontent:"/ajax/chat/buddy_list.php";content:"facebook.com";sid:XXXX;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook > Chat (settings)";flow:established,to_server;content:"POST > ";depth:5;uricontent:"/ajax/chat/settings.php";content:"facebook.com";sid:XXXX;) > > > Regards, -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Mon Feb 8 10:15:33 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 8 Feb 2010 09:15:33 -0600 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot C&C Message-ID: <4B702A95.5030101@packetmail.net> Bot C&C response, unknown variant. Check-in parameters seem to vary but response seems consistent. Signatures derived using GNU curl, there may be some specific behaviors from infected clients not observed here. There is no trailing CRLF after the instruction, only 7c. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - Bot C&C response, pipe-delimited, download instruction"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; within:150; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; sid:2010xxx; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - Bot C&C response, pipe-delimited, empty command"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; sid:2010xxx; rev:1;) Examples: http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 ASCII snippets: 09:05:46.914780 IP 122.115.63.24.80 > a.b.c.d.47491: P 1:266(265) ack 223 win 6432 E..1.p at .".pNzs?.F.Y..P.....8-.B.P.. ....HTTP/1.1 200 OK Date: Mon, 08 Feb 2010 15:05:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.9 Content-Length: 67 Connection: close Content-Type: text/html; charset=Windows-1251 command|file|http://slil.ru/28588640/9a06acd.4b69f118/your_exe.exe| 09:07:01.256162 IP 122.115.63.24.80 > a.b.c.d.47493: P 1:206(205) ack 228 win 6432 E....l at .".n.zs?.F.Y..P..."..rO.LP.. ^~..HTTP/1.1 200 OK Date: Mon, 08 Feb 2010 15:06:24 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.9 Content-Length: 8 Connection: close Content-Type: text/html; charset=Windows-1251 command| -evilghost From phatbuckett at gmail.com Mon Feb 8 10:28:24 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 8 Feb 2010 08:28:24 -0700 Subject: [Emerging-Sigs] Dupe on 2007743 and 2010545 (Nebuler) Message-ID: <839aec701002080728r22809e3el79b97031507a2631@mail.gmail.com> Both 2007743 and 2010545 are written to detect the Nebuler trojan. I suggest dropping 2010545 as it's redundant and the pcre is too tight (misses observed requests). Mod to 2007743: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"c="; uricontent:"&v="; uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; uricontent:"&q="; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; reference:url,doc.emergingthreats.net/2007743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2007743; rev:4;) -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Mon Feb 8 10:37:34 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 10:37:34 -0500 Subject: [Emerging-Sigs] Dupe on 2007743 and 2010545 (Nebuler) In-Reply-To: <839aec701002080728r22809e3el79b97031507a2631@mail.gmail.com> References: <839aec701002080728r22809e3el79b97031507a2631@mail.gmail.com> Message-ID: <4B702FBE.3080209@jonkmans.com> Looks good on both, posting now. Thanks Darren! Matt On 2/8/10 10:28 AM, Darren Spruell wrote: > Both 2007743 and 2010545 are written to detect the Nebuler trojan. I > suggest dropping 2010545 as it's redundant and the pcre is too tight > (misses observed requests). > > Mod to 2007743: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; > uricontent:".php?"; uricontent:"c="; uricontent:"&v="; > uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; > uricontent:"&q="; classtype:trojan-activity; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; > reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; > reference:url,doc.emergingthreats.net/2007743; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; > sid:2007743; rev:4;) > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 10:42:32 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 10:42:32 -0500 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot C&C In-Reply-To: <4B702A95.5030101@packetmail.net> References: <4B702A95.5030101@packetmail.net> Message-ID: <4B7030E8.9070705@jonkmans.com> Posted, thanks evilghost! Matt On 2/8/10 10:15 AM, evilghost at packetmail.net wrote: > Bot C&C response, unknown variant. Check-in parameters seem to vary but > response seems consistent. Signatures derived using GNU curl, there may > be some specific behaviors from infected clients not observed here. > There is no trailing CRLF after the instruction, only 7c. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - > Bot C&C response, pipe-delimited, download instruction"; > flow:established,from_server; > content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; > within:150; > classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - > Bot C&C response, pipe-delimited, empty command"; > flow:established,from_server; > content:"|0d 0a 0d 0a|command|7c|"; nocase; > classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > sid:2010xxx; rev:1;) > > Examples: > http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 > http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 > > ASCII snippets: > 09:05:46.914780 IP 122.115.63.24.80 > a.b.c.d.47491: P 1:266(265) ack > 223 win 6432 > E..1.p at .".pNzs?.F.Y..P.....8-.B.P.. ....HTTP/1.1 200 OK > Date: Mon, 08 Feb 2010 15:05:10 GMT > Server: Apache/2.2.3 (CentOS) > X-Powered-By: PHP/5.2.9 > Content-Length: 67 > Connection: close > Content-Type: text/html; charset=Windows-1251 > > command|file|http://slil.ru/28588640/9a06acd.4b69f118/your_exe.exe| > > 09:07:01.256162 IP 122.115.63.24.80 > a.b.c.d.47493: P 1:206(205) ack > 228 win 6432 > E....l at .".n.zs?.F.Y..P..."..rO.LP.. ^~..HTTP/1.1 200 OK > Date: Mon, 08 Feb 2010 15:06:24 GMT > Server: Apache/2.2.3 (CentOS) > X-Powered-By: PHP/5.2.9 > Content-Length: 8 > Connection: close > Content-Type: text/html; charset=Windows-1251 > > command| > > -evilghost > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 10:43:39 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 10:43:39 -0500 Subject: [Emerging-Sigs] Good Article Message-ID: <4B70312B.4030707@jonkmans.com> http://sign.kaffenews.com/ Interesting article on signature writing. Matt ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Feb 8 10:46:19 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 10:46:19 -0500 Subject: [Emerging-Sigs] Help In-Reply-To: <839aec701002041245x65d76ademe70b4a23aed2ebd7@mail.gmail.com> References: <839aec701002041245x65d76ademe70b4a23aed2ebd7@mail.gmail.com> Message-ID: <4B7031CB.2050609@jonkmans.com> Ya, that works. That should be more reliable, thanks Darren! Matt On 2/4/10 3:45 PM, Darren Spruell wrote: > Running into more misnamed detections due to this rule, thanks to > Oficla downloaders distributing variants and popping up more > frequently. Rule mod for review: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; > uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; > pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; > classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; > reference:url,doc.emergingthreats.net/2010071; sid:2010071; rev:3;) > > I added the pcre to tighten the matches and avoid FPs. I had a pcap > ranging in length from 306-468 characters, so bumping down to 250 min > sounds reasonable for outliers. > > DS > > > On Fri, Jan 29, 2010 at 1:00 PM, Paul Schmehl wrote: >> According to this page: >> http://www.threatexpert.com/report.aspx?md5=e21b03355a2d11881f1035c9c52407e2 >> >> This: >> http://191507d91017.giselin.com/ >> get.php?c=QPTUDBSV&d=26606B6739323E352E64636F317E3 >> E3D21262224242C3062717D2729245F2D5B136416671210651 >> 36E1C1913196E1A1774040504000D73730F7F021D5F51485A3 >> 27C75736224222A75786C243F3B2B3D6D647C6272213F34336.. >> >> is a trojan downloader named Mufanom.dyk (Kaspersky), or Hiloti (Ikarus) or >> Multidropper (McAfee). >> >> We've been tracking multiple machines, Windows and Macs, and now an iPhone!, >> connecting to a single IP address (94.75.221.72), using multiple hostnames with >> a suspiciously malwarish pattern: >> >> 152807da0129.truminfi.com >> 172807da0130.truminfi.com >> 172807da0130.truminfi.com >> 222807da0108.noteau.com >> 212807da0108.burrova.com >> 232807da0102.chrinius.com >> 132907da013b.noteau.com >> 162097da0103.noteau.com >> 182907da0104.noteau.com >> 192907da0118.burrova.com >> 192907da011b.burrova.com >> 192907da011b.chrinius.com >> >> All of these hosts trip the same alert: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab >> Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; >> nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; >> classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010071; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; >> sid:2010071; rev:2;) >> >> I have a pcap (and I'm still capturing) which I would be happy to provide for >> anyone who emails me privately. We've been taking these boxes off the net and >> formatting them. Now I find myself wondering, what the hell is this thing? If >> you go to the IP in your browser, it's a file upload site. If you do digs on >> all the hosts above **every one of them** resolves to this IP. >> >> What the heck is this???? >> >> >> >> -- >> Paul Schmehl, Senior Infosec Analyst >> As if it wasn't already obvious, my opinions >> are my own and not those of my employer. >> ******************************************* >> "It is as useless to argue with those who have >> renounced the use of reason as to administer >> medication to the dead." Thomas Jefferson >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Mon Feb 8 10:58:07 2010 From: eslerj at gmail.com (Joel Esler) Date: Mon, 8 Feb 2010 10:58:07 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B70312B.4030707@jonkmans.com> References: <4B70312B.4030707@jonkmans.com> Message-ID: Snort shouldn't have signatures. It should have rules. Signatures look for "x". Rules are a combination of modeling the protocol and looking for "x", providing a very low false positive rate. Semantics, maybe, but that's what sets Snort's detection language away from the rest. J On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > http://sign.kaffenews.com/ > > Interesting article on signature writing. > > Matt > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- Joel Esler 302-223-5974 From shyaam at gmail.com Mon Feb 8 11:01:47 2010 From: shyaam at gmail.com (Shyaam) Date: Mon, 8 Feb 2010 16:01:47 +0000 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> Message-ID: No matter what we try to find, the issue is not in the technique but the rate at which we change along with the bad guys. When the technology changes, we should change, when the bad guys changes, we change,... etc. If we go according to the flow, that is all what is required... Shyaam On Mon, Feb 8, 2010 at 3:58 PM, Joel Esler wrote: > Snort shouldn't have signatures. It should have rules. > > Signatures look for "x". > > Rules are a combination of modeling the protocol and looking for "x", > providing a very low false positive rate. > > Semantics, maybe, but that's what sets Snort's detection language away from > the rest. > > J > > On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > > > http://sign.kaffenews.com/ > > > > Interesting article on signature writing. > > > > Matt > > > > ---------------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinfosecfoundation.org > > ---------------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > Joel Esler > 302-223-5974 > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100208/a6c2a45d/attachment.html From evilghost at packetmail.net Mon Feb 8 11:04:33 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 8 Feb 2010 10:04:33 -0600 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> Message-ID: <4B703611.9030507@packetmail.net> For Joel: curl -o - http://sign.kaffenews.com/|sed 's/signature/rule/gi' > pedantic.html && firefox pedantic.html Verified working. -evilghost Joel Esler wrote: > Snort shouldn't have signatures. It should have rules. > > Signatures look for "x". > > Rules are a combination of modeling the protocol and looking for "x", providing a very low false positive rate. > > Semantics, maybe, but that's what sets Snort's detection language away from the rest. > > J > > On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > > >> http://sign.kaffenews.com/ >> >> Interesting article on signature writing. >> >> Matt >> >> ---------------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinfosecfoundation.org >> ---------------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > -- > Joel Esler > 302-223-5974 > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From eslerj at gmail.com Mon Feb 8 11:06:50 2010 From: eslerj at gmail.com (Joel Esler) Date: Mon, 8 Feb 2010 11:06:50 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B703611.9030507@packetmail.net> References: <4B70312B.4030707@jonkmans.com> <4B703611.9030507@packetmail.net> Message-ID: Excellent. Thanks. ;) J On Feb 8, 2010, at 11:04 AM, evilghost at packetmail.net wrote: > For Joel: > > curl -o - http://sign.kaffenews.com/|sed 's/signature/rule/gi' > > pedantic.html && firefox pedantic.html > > Verified working. > > -evilghost > > > Joel Esler wrote: >> Snort shouldn't have signatures. It should have rules. >> >> Signatures look for "x". >> >> Rules are a combination of modeling the protocol and looking for "x", providing a very low false positive rate. >> >> Semantics, maybe, but that's what sets Snort's detection language away from the rest. >> >> J >> >> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: >> >> >>> http://sign.kaffenews.com/ >>> >>> Interesting article on signature writing. >>> >>> Matt >>> >>> ---------------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Open Information Security Foundation (OISF) >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> http://www.openinfosecfoundation.org >>> ---------------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> -- >> Joel Esler >> 302-223-5974 >> >> >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- Joel Esler 302-223-5974 From jonkman at jonkmans.com Mon Feb 8 11:50:46 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 11:50:46 -0500 Subject: [Emerging-Sigs] Proposed Mod: 2008411 "ET TROJAN LDPinch SMTP Password Report with mail client The Bat!" In-Reply-To: <75e469edf6c0951dffa28bd096aadca8@shadowserver.org> References: <75e469edf6c0951dffa28bd096aadca8@shadowserver.org> Message-ID: <4B7040E6.7030205@jonkmans.com> Looks good, with that x-mailer tag it should be quite unique. Posting now, thanks!! Matt On 2/2/10 8:08 PM, dn1nj4 wrote: > I am getting a bunch of hits on this sig that appear to be the result of > undeliverable/bounce messages. The attachment in question is the text of > the bounced messsage. Reccomend adding a filter for "|0d 0a|Subject: > Undeliverable:". > > alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP > Password Report with mail client The Bat!"; flow:established,to_server; > content:"X-Mailer|3a| The Bat!"; content:"|0d 0a|Content-Disposition|3a| > attachment\;"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008411; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; > sid:2008411; rev:4;) > > Thoughts? > > dn1nj4 > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From phatbuckett at gmail.com Mon Feb 8 12:19:17 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 8 Feb 2010 10:19:17 -0700 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot C&C In-Reply-To: <4B702A95.5030101@packetmail.net> References: <4B702A95.5030101@packetmail.net> Message-ID: <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> On Mon, Feb 8, 2010 at 8:15 AM, evilghost at packetmail.net wrote: > Bot C&C response, unknown variant. ?Check-in parameters seem to vary but > response seems consistent. ?Signatures derived using GNU curl, there may > be some specific behaviors from infected clients not observed here. > There is no trailing CRLF after the instruction, only 7c. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - > Bot C&C response, pipe-delimited, download instruction"; > flow:established,from_server; > content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; > within:150; > classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - > Bot C&C response, pipe-delimited, empty command"; > flow:established,from_server; > content:"|0d 0a 0d 0a|command|7c|"; nocase; > classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > sid:2010xxx; rev:1;) > > Examples: > http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 > http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 Knocker/Knockbot. See 2008249. Maybe a rule update to "ET TROJAN Knockbot Proxy Response From Controller" to relate to the request? Also, the second rule above will also match on everything the first would. -- Darren Spruell phatbuckett at gmail.com From evilghost at packetmail.net Mon Feb 8 12:28:27 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 8 Feb 2010 11:28:27 -0600 Subject: [Emerging-Sigs] SID 2007745 False Positives Message-ID: <4B7049BB.7000508@packetmail.net> I have some comments regarding SID 2007745, it seems to trip on the API call of GetProcAddress() followed by a 0x00. Why the pure hex and without there being any kind of depth or other values it seems to be this is going to false against every executable using the GetProcAddress() API call. This is a legitimate API call, http://allapi.mentalis.org/apilist/GetProcAddress.shtml Looks like Matt wrote this one. Thoughts/ideas on improvements? Is this still a threat? alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Parite.B HTTP Download Detected"; flow:established,from_server; content:"|47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007745; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite; sid:2007745; rev:3;) -evilghost From evilghost at packetmail.net Mon Feb 8 12:35:46 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 8 Feb 2010 11:35:46 -0600 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot CC In-Reply-To: <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> References: <4B702A95.5030101@packetmail.net> <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> Message-ID: <4B704B72.6090305@packetmail.net> I liked having the two even though there would be some redundancy in alerting because I could confidently block on "command|file|http" while inspecting the latter "command|" for false positive potential. Thanks for the identification Darren, I think we should update the nomenclature as well. -evilghost Darren Spruell wrote: > On Mon, Feb 8, 2010 at 8:15 AM, evilghost at packetmail.net > wrote: > >> Bot C&C response, unknown variant. Check-in parameters seem to vary but >> response seems consistent. Signatures derived using GNU curl, there may >> be some specific behaviors from infected clients not observed here. >> There is no trailing CRLF after the instruction, only 7c. >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >> Bot C&C response, pipe-delimited, download instruction"; >> flow:established,from_server; >> content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; >> within:150; >> classtype:trojan-activity; >> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >> sid:2010xxx; rev:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >> Bot C&C response, pipe-delimited, empty command"; >> flow:established,from_server; >> content:"|0d 0a 0d 0a|command|7c|"; nocase; >> classtype:trojan-activity; >> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >> sid:2010xxx; rev:1;) >> >> Examples: >> http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 >> http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 >> > > Knocker/Knockbot. See 2008249. > > Maybe a rule update to "ET TROJAN Knockbot Proxy Response From > Controller" to relate to the request? > > Also, the second rule above will also match on everything the first would. > > From greencm at gmail.com Mon Feb 8 14:45:06 2010 From: greencm at gmail.com (Chris Green) Date: Mon, 8 Feb 2010 13:45:06 -0600 Subject: [Emerging-Sigs] Fake AV download URI access In-Reply-To: <1265586195.25409.47.camel@localhost> References: <6116b9e20912220854p4c0e14c9sada81d329d88f806@mail.gmail.com> <4B316BC7.8020407@jonkmans.com> <1261604393.34379.36.camel@localhost> <6116b9e20912231407y55bf8ba9l72db28b2d148a75a@mail.gmail.com> <1261606352.34379.74.camel@localhost> <839aec701002021017n36e209f5pa8d45a9f9b0cac59@mail.gmail.com> <4B69EC1D.5070205@jonkmans.com> <1265586195.25409.47.camel@localhost> Message-ID: On Sun, Feb 7, 2010 at 5:43 PM, Frank Knobbe wrote: > On Wed, 2010-02-03 at 16:35 -0500, Matt Jonkman wrote: > I think malware-download and exploit-download is a bit redundant. > infected-host is the same as trojan-activity Classifications: (Exploit Attack, Trojan Download, Trojan-Activity); Responses: (Potentially Block, Potentially Block/Potentially Investigate, Disconnect/Investigate) Part of this is I don't consider the encoded javascript on a website to be the trojan download but if you are visiting something then get Setup_100.exe, by golly I want to know about it. However, I really care more if there is something that got past AV and showed the activity. Perhaps there are good tools out there that let you filter by the classification but I've always found it easier to trust the msg: than the classification. In my workflow, they are generally used at policy creation time but not at review time. That's where all the Possible Fake AV Check-in type rules came from. If a checkin signifies a compromise, I'd like to see that stated clearly. -- Chris Green From emerging at emergingthreats.net Mon Feb 8 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 8 Feb 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100208210014.0676545050@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Feb 8 16:00:13 2010 [***] [+++] Added rules: [+++] 2010771 - ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010772 - ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010773 - ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010774 - ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010775 - ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010776 - ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010777 - ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010778 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 (emerging-web_client.rules) 2010779 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 (emerging-web_client.rules) 2010780 - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt (emerging-web_specific_apps.rules) 2010781 - ET POLICY PsExec service created (emerging-policy.rules) 2010782 - ET POLICY RemoteControlX rctrlx service created (emerging-policy.rules) 2010783 - ET EXPLOIT GsecDump executed (emerging-exploit.rules) 2010784 - ET POLICY Facebook Chat (send message) (emerging-policy.rules) 2010785 - ET POLICY Facebook Chat (buddy list) (emerging-policy.rules) 2010786 - ET POLICY Facebook Chat (settings) (emerging-policy.rules) 2010787 - ET TROJAN Bot C&C response, pipe-delimited, download instruction (emerging-virus.rules) 2010788 - ET TROJAN Bot C&C response, pipe-delimited, empty command (emerging-virus.rules) [///] Modified active rules: [///] 2007743 - ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin (emerging-virus.rules) 2008411 - ET TROJAN LDPinch SMTP Password Report with mail client The Bat! (emerging-virus.rules) 2010071 - ET TROJAN Hiloti/Mufanom Downloader Checkin (emerging-virus.rules) 2010743 - ET TROJAN Oficla Checkin (1) (emerging-virus.rules) 2010764 - ET TROJAN Oficla Checkin (2) (emerging-virus.rules) 2010765 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) (emerging-virus.rules) 2010766 - ET POLICY Proxy TRACE Request - inbound (emerging-policy.rules) 2010767 - ET POLICY TRACE Request - outbound (emerging-policy.rules) 2010768 - WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) (emerging-user_agents.rules) 2010770 - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt (emerging-web_specific_apps.rules) [---] Disabled and modified rules: [---] 2010769 - ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt (emerging-current_events.rules) [---] Removed rules: [---] 2010545 - ET TROJAN Unknown Fake AV Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (2): #by rich rumble #GsecDump rule -> Added to emerging-policy.rules (4): #by SpOoKeR #by rich rumble #PsExec for lan #RctrlX -> Added to emerging-sid-msg.map (92): 2007743 || ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 || url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d || url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D || url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2 2010071 || ET TROJAN Hiloti/Mufanom Downloader Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010743 || ET TROJAN Oficla Checkin (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010764 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2010765 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,doc.emergingthreats.net/2010766 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,doc.emergingthreats.net/2010767 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webcollage || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE || url,doc.emergingthreats.net/2010769 || cve,2010-0255 || url,www.microsoft.com/technet/security/advisory/980088.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_HP_System_Manager || url,doc.emergingthreats.net/2010770 || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2010771 || ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010771 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010772 || ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010772 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010773 || ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010773 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010774 || ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010774 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010775 || ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010775 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010776 || ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010776 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010777 || ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010777 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010778 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010778 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010779 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010779 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010780 || ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010780 || bugtraq,37440 2010781 || ET POLICY PsExec service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010781 || url,xinn.org/Snort-psexec.html 2010782 || ET POLICY RemoteControlX rctrlx service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010782 || url,xinn.org/Snort-rctrlx.html 2010783 || ET EXPLOIT GsecDump executed || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump || url,doc.emergingthreats.net/2010783 || url,xinn.org/Snort-gsecdump.html 2010784 || ET POLICY Facebook Chat (send message) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010784 2010785 || ET POLICY Facebook Chat (buddy list) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010785 2010786 || ET POLICY Facebook Chat (settings) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010786 2010787 || ET TROJAN Bot C&C response, pipe-delimited, download instruction || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response, pipe-delimited, empty command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (92): 2007743 || ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 || url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d || url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D || url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2 2010071 || ET TROJAN Hiloti/Mufanom Downloader Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010743 || ET TROJAN Oficla Checkin (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010764 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2010765 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,doc.emergingthreats.net/2010766 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,doc.emergingthreats.net/2010767 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webcollage || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE || url,doc.emergingthreats.net/2010769 || cve,2010-0255 || url,www.microsoft.com/technet/security/advisory/980088.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_HP_System_Manager || url,doc.emergingthreats.net/2010770 || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2010771 || ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010771 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010772 || ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010772 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010773 || ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010773 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010774 || ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010774 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010775 || ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010775 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010776 || ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010776 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010777 || ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010777 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010778 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010778 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010779 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010779 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010780 || ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010780 || bugtraq,37440 2010781 || ET POLICY PsExec service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010781 || url,xinn.org/Snort-psexec.html 2010782 || ET POLICY RemoteControlX rctrlx service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010782 || url,xinn.org/Snort-rctrlx.html 2010783 || ET EXPLOIT GsecDump executed || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump || url,doc.emergingthreats.net/2010783 || url,xinn.org/Snort-gsecdump.html 2010784 || ET POLICY Facebook Chat (send message) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010784 2010785 || ET POLICY Facebook Chat (buddy list) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010785 2010786 || ET POLICY Facebook Chat (settings) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010786 2010787 || ET TROJAN Bot C&C response, pipe-delimited, download instruction || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response, pipe-delimited, empty command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #matt jonkman from sandnet data, updated by darren spruell -> Added to emerging-web_specific_apps.rules (1): #by strillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (15): 2007743 || ET TROJAN Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010545 || ET TROJAN Unknown Fake AV Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010545 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (15): 2007743 || ET TROJAN Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010545 || ET TROJAN Unknown Fake AV Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010545 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-virus.rules (1): #matt jonkman from sandnet data From phatbuckett at gmail.com Mon Feb 8 16:02:14 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 8 Feb 2010 14:02:14 -0700 Subject: [Emerging-Sigs] SpyBye (infostealer) sig Message-ID: <839aec701002081302j153a3a5fra7c18b5cdd221eb@mail.gmail.com> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyBye Bot Checkin"; flow:established,to_server; uricontent:".php?guid="; nocase; uricontent:"&ver="; nocase; uricontent:"&stat="; nocase; uricontent:"&cpu="; nocase; uricontent:"&ccrc="; nocase; classtype:trojan-activity; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; sid:9999990; rev:1;) Background in references, but this is a new-"ish" infostealer/cybercrime kit akin to ZeuS. Detection covers the following requests observed: hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=USERNAME!COMPUTERNAME!00CD1A40&ver=10060&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=57&ccrc=72E2921A hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=USERNAME!COMPUTERNAME!00CD1A40&ver=10060&stat=ONLINE&cpu=0&ccrc=72E2921A hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=HANUELE%20BASER!HANS!1CD709E3&ver=10060&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=96&ccrc=72E2921A Thx, -- Darren Spruell phatbuckett at gmail.com From wkitty42 at windstream.net Mon Feb 8 22:11:31 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Mon, 08 Feb 2010 22:11:31 -0500 Subject: [Emerging-Sigs] observational problem... Message-ID: <4B70D263.4050807@windstream.net> some of my tools have had problems with sig 2010643's comma (IIRC) in the msg text... these tools are (generally) written in perl and the sigs they work with are not quote delimited... as such, the embedded quote in the msg field ("Source, ") is misinterpreted as an additional field... for now, i'm attempting, via oinkmaster (since it is one of the primary tools i use) to edit the rule and change the comma to a space-dash-space format... my suggestion is that the msg fields of rules do not contain embedded commas (if we can)... thanks for the consideration... From jonkman at jonkmans.com Mon Feb 8 22:18:29 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Feb 2010 22:18:29 -0500 Subject: [Emerging-Sigs] observational problem... In-Reply-To: <4B70D263.4050807@windstream.net> References: <4B70D263.4050807@windstream.net> Message-ID: <4B70D405.8050005@jonkmans.com> Ya, that's reasonable. I'll do my best. I modified that sig and it's sister sig. Matt On 2/8/10 10:11 PM, waldo kitty wrote: > > some of my tools have had problems with sig 2010643's comma (IIRC) in the msg > text... these tools are (generally) written in perl and the sigs they work with > are not quote delimited... as such, the embedded quote in the msg field > ("Source, ") is misinterpreted as an additional field... for now, i'm > attempting, via oinkmaster (since it is one of the primary tools i use) to edit > the rule and change the comma to a space-dash-space format... > > my suggestion is that the msg fields of rules do not contain embedded commas (if > we can)... > > thanks for the consideration... > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From wkitty42 at windstream.net Mon Feb 8 23:11:09 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Mon, 08 Feb 2010 23:11:09 -0500 Subject: [Emerging-Sigs] observational problem... In-Reply-To: <4B70D405.8050005@jonkmans.com> References: <4B70D263.4050807@windstream.net> <4B70D405.8050005@jonkmans.com> Message-ID: <4B70E05D.4070905@windstream.net> On 2/8/2010 22:18, Matt Jonkman wrote: > Ya, that's reasonable. I'll do my best. I modified that sig and it's > sister sig. ahhh... the sister sig hadn't hit over here (AFAICT) but it has taken me a week or two to realize what the actual problem is/was even with all of the error checking and such that i was forced to put in place... i'm also going to be taking a look at my code and procedures to try to ensure that things are quote delimited and then to work from there... i don't know how well it will go, though... i'm using the basic perl "split" function to split the lines on commas... this is the first time that i've run into this problem, though... anyone got any good method of handling this type of problem?? i'm still (?) awaiting a monster mound of reports that removing blocked IPs is failing and generating some 10000+ entries a day like i was seeing with this problem... > Matt > > On 2/8/10 10:11 PM, waldo kitty wrote: >> >> some of my tools have had problems with sig 2010643's comma (IIRC) in the msg >> text... these tools are (generally) written in perl and the sigs they work with >> are not quote delimited... as such, the embedded quote in the msg field >> ("Source, ") is misinterpreted as an additional field... for now, i'm >> attempting, via oinkmaster (since it is one of the primary tools i use) to edit >> the rule and change the comma to a space-dash-space format... >> >> my suggestion is that the msg fields of rules do not contain embedded commas (if >> we can)... >> >> thanks for the consideration... >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From thierry.chich at ac-clermont.fr Tue Feb 9 03:36:56 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Tue, 09 Feb 2010 09:36:56 +0100 Subject: [Emerging-Sigs] observational problem... In-Reply-To: <4B70E05D.4070905@windstream.net> References: <4B70D263.4050807@windstream.net> <4B70D405.8050005@jonkmans.com> <4B70E05D.4070905@windstream.net> Message-ID: <4B711EA8.2010003@ac-clermont.fr> Le 09/02/2010 05:11, waldo kitty a ?crit : > On 2/8/2010 22:18, Matt Jonkman wrote: >> Ya, that's reasonable. I'll do my best. I modified that sig and it's >> sister sig. > > ahhh... the sister sig hadn't hit over here (AFAICT) but it has taken me a week > or two to realize what the actual problem is/was even with all of the error > checking and such that i was forced to put in place... > > i'm also going to be taking a look at my code and procedures to try to ensure > that things are quote delimited and then to work from there... i don't know how > well it will go, though... i'm using the basic perl "split" function to split > the lines on commas... this is the first time that i've run into this problem, > though... > > anyone got any good method of handling this type of problem?? i'm still (?) > awaiting a monster mound of reports that removing blocked IPs is failing and > generating some 10000+ entries a day like i was seeing with this problem... > It is depending of what you do after that, but perhaps could you erase the content between the two quotes before you split the string ? From evilghost at packetmail.net Tue Feb 9 10:51:47 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 9 Feb 2010 09:51:47 -0600 Subject: [Emerging-Sigs] observational problem. In-Reply-To: <4B70E05D.4070905@windstream.net> References: <4B70D263.4050807@windstream.net> <4B70D405.8050005@jonkmans.com> <4B70E05D.4070905@windstream.net> Message-ID: <4B718493.5040400@packetmail.net> What about Text::CSV? http://search.cpan.org/~alancitt/Text-CSV-0.01/CSV.pm http://perlmeme.org/tutorials/parsing_csv.html Quoted from CPAN: This module is based upon a working definition of CSV format which may not be the most general. 1. Allowable characters within a CSV field include 0x09 (tab) and the inclusive range of 0x20 (space) through 0x7E (tilde). 2. A field within CSV may be surrounded by double-quotes. 3. A field within CSV must be surrounded by double-quotes to contain a comma. 4. A field within CSV must be surrounded by double-quotes to contain an embedded double-quote, represented by a pair of consecutive double-quotes. 5. A CSV string may be terminated by 0x0A (line feed) or by 0x0D,0x0A (carriage return, line feed). -evilghost waldo kitty wrote: > anyone got any good method of handling this type of problem?? i'm still (?) > awaiting a monster mound of reports that removing blocked IPs is failing and > generating some 10000+ entries a day like i was seeing with this problem... > > From jonkman at jonkmans.com Tue Feb 9 10:55:18 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Feb 2010 10:55:18 -0500 Subject: [Emerging-Sigs] SpyBye (infostealer) sig In-Reply-To: <839aec701002081302j153a3a5fra7c18b5cdd221eb@mail.gmail.com> References: <839aec701002081302j153a3a5fra7c18b5cdd221eb@mail.gmail.com> Message-ID: <4B718566.7000501@jonkmans.com> Posted, thanks Darren!! Matt On 2/8/10 4:02 PM, Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > SpyBye Bot Checkin"; flow:established,to_server; > uricontent:".php?guid="; nocase; uricontent:"&ver="; nocase; > uricontent:"&stat="; nocase; uricontent:"&cpu="; nocase; > uricontent:"&ccrc="; nocase; classtype:trojan-activity; > reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; > reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; > reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; > reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; > sid:9999990; rev:1;) > > Background in references, but this is a new-"ish" > infostealer/cybercrime kit akin to ZeuS. Detection covers the > following requests observed: > > hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=USERNAME!COMPUTERNAME!00CD1A40&ver=10060&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=57&ccrc=72E2921A > hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=USERNAME!COMPUTERNAME!00CD1A40&ver=10060&stat=ONLINE&cpu=0&ccrc=72E2921A > hxxp://www.vinodelam.net/spy/main/bt_version_checker.php?guid=HANUELE%20BASER!HANS!1CD709E3&ver=10060&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=96&ccrc=72E2921A > > Thx, > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Tue Feb 9 11:56:43 2010 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 9 Feb 2010 10:56:43 -0600 Subject: [Emerging-Sigs] observational problem... In-Reply-To: <4B70E05D.4070905@windstream.net> References: <4B70D263.4050807@windstream.net> <4B70D405.8050005@jonkmans.com> <4B70E05D.4070905@windstream.net> Message-ID: <4B7193CB.80408@afferentsecurity.com> I had a similar problem with quote marks in msg text. Although I eventually changed my program to remove the issue, I used oinkmaster to remove quote marks from msg text. I don't know how to make oinkmaster use the "global" replace flag so you can put five of these in your oinkmaster.conf file. modifysid * "(msg\s*:[^;]*)," | "${1} " modifysid * "(msg\s*:[^;]*)," | "${1} " modifysid * "(msg\s*:[^;]*)," | "${1} " modifysid * "(msg\s*:[^;]*)," | "${1} " modifysid * "(msg\s*:[^;]*)," | "${1} " jp On 02/08/2010 10:11 PM, waldo kitty wrote: > On 2/8/2010 22:18, Matt Jonkman wrote: > >> Ya, that's reasonable. I'll do my best. I modified that sig and it's >> sister sig. >> > ahhh... the sister sig hadn't hit over here (AFAICT) but it has taken me a week > or two to realize what the actual problem is/was even with all of the error > checking and such that i was forced to put in place... > > i'm also going to be taking a look at my code and procedures to try to ensure > that things are quote delimited and then to work from there... i don't know how > well it will go, though... i'm using the basic perl "split" function to split > the lines on commas... this is the first time that i've run into this problem, > though... > > anyone got any good method of handling this type of problem?? i'm still (?) > awaiting a monster mound of reports that removing blocked IPs is failing and > generating some 10000+ entries a day like i was seeing with this problem... > > >> Matt >> >> On 2/8/10 10:11 PM, waldo kitty wrote: >> >>> some of my tools have had problems with sig 2010643's comma (IIRC) in the msg >>> text... these tools are (generally) written in perl and the sigs they work with >>> are not quote delimited... as such, the embedded quote in the msg field >>> ("Source, ") is misinterpreted as an additional field... for now, i'm >>> attempting, via oinkmaster (since it is one of the primary tools i use) to edit >>> the rule and change the comma to a space-dash-space format... >>> >>> my suggestion is that the msg fields of rules do not contain embedded commas (if >>> we can)... >>> >>> thanks for the consideration... >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From jonkman at jonkmans.com Tue Feb 9 14:38:20 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Feb 2010 14:38:20 -0500 Subject: [Emerging-Sigs] SID 2007745 False Positives In-Reply-To: <4B7049BB.7000508@packetmail.net> References: <4B7049BB.7000508@packetmail.net> Message-ID: <4B71B9AC.50700@jonkmans.com> We haven't any recent hits in the sidreporter database, and considering the poor research done and haphazard rule writing I'm inclined to delete it. I'll look closer at this guy's rule submissions in the future. Matt On 2/8/10 12:28 PM, evilghost at packetmail.net wrote: > I have some comments regarding SID 2007745, it seems to trip on the API > call of GetProcAddress() followed by a 0x00. Why the pure hex and > without there being any kind of depth or other values it seems to be > this is going to false against every executable using the > GetProcAddress() API call. > > This is a legitimate API call, > http://allapi.mentalis.org/apilist/GetProcAddress.shtml > > Looks like Matt wrote this one. Thoughts/ideas on improvements? Is > this still a threat? > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Parite.B HTTP Download Detected"; flow:established,from_server; > content:"|47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00|"; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007745; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite; > sid:2007745; rev:3;) > > -evilghost > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Tue Feb 9 15:06:46 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 9 Feb 2010 14:06:46 -0600 Subject: [Emerging-Sigs] SID 2007745 False Positives In-Reply-To: <4B71B9AC.50700@jonkmans.com> References: <4B7049BB.7000508@packetmail.net> <4B71B9AC.50700@jonkmans.com> Message-ID: <4B71C056.9080204@packetmail.net> Thanks Matt, I agree, we should keep a close eye on this guy ;) Matt Jonkman wrote: > We haven't any recent hits in the sidreporter database, and considering > the poor research done and haphazard rule writing I'm inclined to delete > it. I'll look closer at this guy's rule submissions in the future. > > Matt > > On 2/8/10 12:28 PM, evilghost at packetmail.net wrote: > >> I have some comments regarding SID 2007745, it seems to trip on the API >> call of GetProcAddress() followed by a 0x00. Why the pure hex and >> without there being any kind of depth or other values it seems to be >> this is going to false against every executable using the >> GetProcAddress() API call. >> >> This is a legitimate API call, >> http://allapi.mentalis.org/apilist/GetProcAddress.shtml >> >> Looks like Matt wrote this one. Thoughts/ideas on improvements? Is >> this still a threat? >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Parite.B HTTP Download Detected"; flow:established,from_server; >> content:"|47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00|"; >> classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007745; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite; >> sid:2007745; rev:3;) >> >> -evilghost >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > From emerging at emergingthreats.net Tue Feb 9 16:00:22 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 9 Feb 2010 16:00:22 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100209210022.2818045052@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Feb 9 16:00:21 2010 [***] [+++] Added rules: [+++] 2010789 - ET TROJAN SpyBye Bot Checkin (emerging-virus.rules) [///] Modified active rules: [///] 2010642 - ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt (emerging-scan.rules) 2010643 - ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt (emerging-scan.rules) [---] Removed rules: [---] 2007745 - ET TROJAN Parite.B HTTP Download Detected (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (7): 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (31): 2007745 || ET TROJAN Parite.B HTTP Download Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite || url,doc.emergingthreats.net/2007745 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (31): 2007745 || ET TROJAN Parite.B HTTP Download Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite || url,doc.emergingthreats.net/2007745 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2500864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510864 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510865 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (433) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510866 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510867 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (434) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510868 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510869 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (435) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510870 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510871 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (436) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510872 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510873 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (437) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510874 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510875 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (438) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510876 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510877 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (439) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-virus.rules (1): #based on clamav info, by matt Jonkman From frank at knobbe.us Tue Feb 9 20:16:37 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 09 Feb 2010 19:16:37 -0600 Subject: [Emerging-Sigs] Dupe on 2007743 and 2010545 (Nebuler) In-Reply-To: <839aec701002080728r22809e3el79b97031507a2631@mail.gmail.com> References: <839aec701002080728r22809e3el79b97031507a2631@mail.gmail.com> Message-ID: <1265764597.25797.432.camel@localhost> On Mon, 2010-02-08 at 08:28 -0700, Darren Spruell wrote: > Both 2007743 and 2010545 are written to detect the Nebuler trojan. I > suggest dropping 2010545 as it's redundant and the pcre is too tight > (misses observed requests). > > Mod to 2007743: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; > uricontent:".php?"; uricontent:"c="; uricontent:"&v="; > uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; > uricontent:"&q="; classtype:trojan-activity; Would it be worth-while to keep the content:!"Referer\: "; check in there? (was in 2010545) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100209/42ae9d7d/attachment.bin From inurbitz at yahoo.com Wed Feb 10 14:40:02 2010 From: inurbitz at yahoo.com (Packet Hack) Date: Wed, 10 Feb 2010 11:40:02 -0800 (PST) Subject: [Emerging-Sigs] Update to sig 2010337 Message-ID: <391257.12026.qm@web113706.mail.gq1.yahoo.com> Ran across some POSTS to /borders.php. Looks very similar to the FakeAV URLs found here: http://www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7 http://www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab including the payload in the form data=/CjEfcWB[...] that we see so often in the POSTS to the .gif URLs, e.g. http://grandgoodarts.com/werber/d4958022902/217.gif Think it's safe to say these are FakeAV. --pkthck -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100210/03158ed3/attachment.html From emerging at emergingthreats.net Wed Feb 10 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 10 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100210210013.AF29F45050@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Feb 10 16:00:13 2010 [***] [+++] Added rules: [+++] 2010790 - ET TROJAN Bredavi Configuration Update Response (emerging-virus.rules) 2010791 - ET TROJAN Bredavi Checkin (emerging-virus.rules) 2010792 - ET TROJAN Bredavi Proxy Registration (emerging-virus.rules) 2010793 - ET TROJAN Bredavi Binary Download Request (emerging-virus.rules) [///] Modified active rules: [///] 2010729 - ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php) (emerging-current_events.rules) 2010787 - ET TROJAN Bot C&C response - download instruction (pipe-delimited) (emerging-virus.rules) 2010788 - ET TROJAN Bot C&C response - empty command (pipe-delimited) (emerging-virus.rules) 2010789 - ET TROJAN SpyBye Bot Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 2010787 || ET TROJAN Bot C&C response - download instruction (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response - empty command (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_SpyBye || url,doc.emergingthreats.net/2010789 || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2010790 || ET TROJAN Bredavi Configuration Update Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010790 2010791 || ET TROJAN Bredavi Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010791 2010792 || ET TROJAN Bredavi Proxy Registration || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010792 2010793 || ET TROJAN Bredavi Binary Download Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010793 -> Added to emerging-sid-msg.map.txt (7): 2010787 || ET TROJAN Bot C&C response - download instruction (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response - empty command (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_SpyBye || url,doc.emergingthreats.net/2010789 || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2010790 || ET TROJAN Bredavi Configuration Update Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010790 2010791 || ET TROJAN Bredavi Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010791 2010792 || ET TROJAN Bredavi Proxy Registration || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010792 2010793 || ET TROJAN Bredavi Binary Download Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010793 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (15): 2010787 || ET TROJAN Bot C&C response, pipe-delimited, download instruction || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response, pipe-delimited, empty command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (15): 2010787 || ET TROJAN Bot C&C response, pipe-delimited, download instruction || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response, pipe-delimited, empty command || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510860 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510861 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (431) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510862 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510863 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (432) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From phatbuckett at gmail.com Thu Feb 11 15:48:01 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 11 Feb 2010 13:48:01 -0700 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot CC In-Reply-To: <4B704B72.6090305@packetmail.net> References: <4B702A95.5030101@packetmail.net> <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> <4B704B72.6090305@packetmail.net> Message-ID: <839aec701002111248m57a4ea99h245952a21eb4b33b@mail.gmail.com> Groovy then, how about: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2010787; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; depth:250; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2010788; rev:4;) DS On Mon, Feb 8, 2010 at 10:35 AM, evilghost at packetmail.net wrote: > I liked having the two even though there would be some redundancy in > alerting because I could confidently block on "command|file|http" while > inspecting the latter "command|" for false positive potential. Thanks > for the identification Darren, I think we should update the nomenclature > as well. > > -evilghost > > Darren Spruell wrote: >> On Mon, Feb 8, 2010 at 8:15 AM, evilghost at packetmail.net >> wrote: >> >>> Bot C&C response, unknown variant. Check-in parameters seem to vary but >>> response seems consistent. Signatures derived using GNU curl, there may >>> be some specific behaviors from infected clients not observed here. >>> There is no trailing CRLF after the instruction, only 7c. >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>> Bot C&C response, pipe-delimited, download instruction"; >>> flow:established,from_server; >>> content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; >>> within:150; >>> classtype:trojan-activity; >>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>> sid:2010xxx; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>> Bot C&C response, pipe-delimited, empty command"; >>> flow:established,from_server; >>> content:"|0d 0a 0d 0a|command|7c|"; nocase; >>> classtype:trojan-activity; >>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>> sid:2010xxx; rev:1;) >>> >>> Examples: >>> http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 >>> http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 >>> >> >> Knocker/Knockbot. See 2008249. >> >> Maybe a rule update to "ET TROJAN Knockbot Proxy Response From >> Controller" to relate to the request? >> >> Also, the second rule above will also match on everything the first would. >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Thu Feb 11 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 11 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100211210013.726A64504F@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Feb 11 16:00:13 2010 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From signatures at stillsecure.com Fri Feb 12 06:01:35 2010 From: signatures at stillsecure.com (signatures) Date: Fri, 12 Feb 2010 04:01:35 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Feb 12th, 2010 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2951@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/acopia/manager/DiagLogListActionBody.do?"; nocase; uricontent:"logFile="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/38113/; sid:9959; rev:1;) 2. WEB-PHP F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; uricontent:"captureFile="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/38113/; sid:9960; rev:1;) 3. WEB-PHP F5 Data Manager ViewSatReport.do Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP F5 Data Manager ViewSatReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/acopia/sat/ViewSatReport.do?"; nocase; uricontent:"fileName="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/38113/; sid:9961; rev:1;) 4. WEB-PHP F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; uricontent:"capture="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/38113/; sid:9962; rev:1;) 5. WEB-PHP F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/acopia/sat/ViewInventoryErrorReport.do?"; nocase; uricontent:"fileName="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/38113/; sid:9963; rev:1;) 6. WEB-PHP Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yelp&"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,38022; sid:10086; rev:1;) 7. WEB-PHP Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yelp&"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,38022; sid:10087; rev:1;) 8. WEB-PHP Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yelp&"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,38022; sid:10088; rev:1;) 9. WEB-PHP Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yelp&"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:bugtraq,38022; sid:10089; rev:1;) 10. WEB-PHP Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yelp&"; nocase; uricontent:"cid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:bugtraq,38022; sid:10090; rev:1;) Looking forward for your comments, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100212/afc149ea/attachment-0001.html From thierry.chich at ac-clermont.fr Fri Feb 12 07:46:00 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Fri, 12 Feb 2010 13:46:00 +0100 Subject: [Emerging-Sigs] disabling 2009024 ? Message-ID: <4B754D88.9000304@ac-clermont.fr> Hello, Could someone explain me why the rule 2009024 (ET TROJAN Downadup/Conficker A or B Worm reporting) have been disabled ? I think it is a very curious choice, since it is one of the most usefull rule I had. There is a lot of PC infected, and Conficker is a very good friend for other viruses. The others rules are not working very well. Furthermore, the capture of the packet is giving me the IP of the infected PCs (field X-forwarded-for:). Thanks for an answer. Thierry. From kevross33 at googlemail.com Fri Feb 12 08:00:38 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 12 Feb 2010 13:00:38 +0000 Subject: [Emerging-Sigs] 2 IE SIGS: CVE-2010-0249 & 2010-0027 Message-ID: 2 sigs for internet explorer. Regards, Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url, www.securityfocus.com/bid/37884; reference:cve,2010-0027; sid:17600002; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"="; within:2; content:"|22 22|"; within:3; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:cve,2010-0249; sid:1320005; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100212/7aa2e15d/attachment.html From william.metcalf at gmail.com Fri Feb 12 11:27:37 2010 From: william.metcalf at gmail.com (Will Metcalf) Date: Fri, 12 Feb 2010 10:27:37 -0600 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. Message-ID: I don't think the distance: 0; statement in the following sig makes any sense. There is no previous content match, and even if it was offset or something it still wouldn't make any sense. Maybe the intention was to add the relative pcre modifier?!?! alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; classtype:successful-dos; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; sid:2007937; rev:2;) 0000 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ...E:.......DSRe 0010 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 quest.........AA 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ..... Regards, Will From jonkman at jonkmans.com Fri Feb 12 12:05:21 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Feb 2010 12:05:21 -0500 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. In-Reply-To: References: Message-ID: <4B758A51.50902@jonkmans.com> You are correct. It's an old sig too, and the distance is totally irrelevant. I suspect the original intent was to have the pcre relative to the end of the content match, which we can make so with /R. I'll make that change unless I hear that anyone suspects it should be different. Thanks Will! Matt On 2/12/10 11:27 AM, Will Metcalf wrote: > I don't think the distance: 0; statement in the following sig makes > any sense. There is no previous content match, and even if it was > offset or something it still wouldn't make any sense. Maybe the > intention was to add the relative pcre modifier?!?! > > alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT > Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 > 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; > classtype:successful-dos; reference:bugtraq,28084; > reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; > reference:url,doc.emergingthreats.net/bin/view/Main/2007937; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; > sid:2007937; rev:2;) > > 0000 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ...E:.......DSRe > 0010 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 quest.........AA > 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 0050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 0070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > ..... > > Regards, > > Will > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Feb 12 12:10:43 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Feb 2010 12:10:43 -0500 Subject: [Emerging-Sigs] disabling 2009024 ? In-Reply-To: <4B754D88.9000304@ac-clermont.fr> References: <4B754D88.9000304@ac-clermont.fr> Message-ID: <4B758B93.4060609@jonkmans.com> Hi Thierry. They were dropped because we thought we'd seen the end of variants a and b. And because these sigs were VERY prone to false positive. But were worth it at the time. Are you still seeing a and b infections being caught by these sigs? Matt On 2/12/10 7:46 AM, Thierry Chich wrote: > Hello, > > Could someone explain me why the rule 2009024 (ET TROJAN > Downadup/Conficker A or B Worm reporting) have been disabled ? I think > it is a very curious choice, since it is one of the most usefull rule I > had. > There is a lot of PC infected, and Conficker is a very good friend for > other viruses. The others rules are not working very well. Furthermore, > the capture of the packet is giving me the IP of the infected PCs (field > X-forwarded-for:). > > Thanks for an answer. > > Thierry. > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Feb 12 12:15:36 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Feb 2010 12:15:36 -0500 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot CC In-Reply-To: <839aec701002111248m57a4ea99h245952a21eb4b33b@mail.gmail.com> References: <4B702A95.5030101@packetmail.net> <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> <4B704B72.6090305@packetmail.net> <839aec701002111248m57a4ea99h245952a21eb4b33b@mail.gmail.com> Message-ID: <4B758CB8.9040102@jonkmans.com> That works! Thanks Darren. But please watch the language. Groovy is totally inappropriate. Matt On 2/11/10 3:48 PM, Darren Spruell wrote: > Groovy then, how about: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN > Knockbot Proxy Response From Controller"; > flow:established,from_server; content:"|0d 0a 0d > 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; > within:150; classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > reference:url,doc.emergingthreats.net/2010787; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; > sid:2010787; rev:4;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN > Knockbot Proxy Response From Controller (empty command)"; > flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; > nocase; depth:250; classtype:trojan-activity; > reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; > reference:url,doc.emergingthreats.net/2010788; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; > sid:2010788; rev:4;) > > DS > > On Mon, Feb 8, 2010 at 10:35 AM, evilghost at packetmail.net > wrote: >> I liked having the two even though there would be some redundancy in >> alerting because I could confidently block on "command|file|http" while >> inspecting the latter "command|" for false positive potential. Thanks >> for the identification Darren, I think we should update the nomenclature >> as well. >> >> -evilghost >> >> Darren Spruell wrote: >>> On Mon, Feb 8, 2010 at 8:15 AM, evilghost at packetmail.net >>> wrote: >>> >>>> Bot C&C response, unknown variant. Check-in parameters seem to vary but >>>> response seems consistent. Signatures derived using GNU curl, there may >>>> be some specific behaviors from infected clients not observed here. >>>> There is no trailing CRLF after the instruction, only 7c. >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>>> Bot C&C response, pipe-delimited, download instruction"; >>>> flow:established,from_server; >>>> content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; >>>> within:150; >>>> classtype:trojan-activity; >>>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>>> sid:2010xxx; rev:1;) >>>> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>>> Bot C&C response, pipe-delimited, empty command"; >>>> flow:established,from_server; >>>> content:"|0d 0a 0d 0a|command|7c|"; nocase; >>>> classtype:trojan-activity; >>>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>>> sid:2010xxx; rev:1;) >>>> >>>> Examples: >>>> http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 >>>> http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 >>>> >>> >>> Knocker/Knockbot. See 2008249. >>> >>> Maybe a rule update to "ET TROJAN Knockbot Proxy Response From >>> Controller" to relate to the request? >>> >>> Also, the second rule above will also match on everything the first would. >>> >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Fri Feb 12 12:17:26 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Fri, 12 Feb 2010 11:17:26 -0600 Subject: [Emerging-Sigs] Proposed Signature; Pipe-delimited Bot CC In-Reply-To: <4B758CB8.9040102@jonkmans.com> References: <4B702A95.5030101@packetmail.net> <839aec701002080919v7c3c49d1vae219ccf752713d5@mail.gmail.com> <4B704B72.6090305@packetmail.net> <839aec701002111248m57a4ea99h245952a21eb4b33b@mail.gmail.com> <4B758CB8.9040102@jonkmans.com> Message-ID: <4B758D26.7080109@packetmail.net> Fiddlesticks! Matt Jonkman wrote: > That works! Thanks Darren. > > But please watch the language. Groovy is totally inappropriate. > > Matt > > On 2/11/10 3:48 PM, Darren Spruell wrote: > >> Groovy then, how about: >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN >> Knockbot Proxy Response From Controller"; >> flow:established,from_server; content:"|0d 0a 0d >> 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; >> within:150; classtype:trojan-activity; >> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >> reference:url,doc.emergingthreats.net/2010787; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; >> sid:2010787; rev:4;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN >> Knockbot Proxy Response From Controller (empty command)"; >> flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; >> nocase; depth:250; classtype:trojan-activity; >> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >> reference:url,doc.emergingthreats.net/2010788; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; >> sid:2010788; rev:4;) >> >> DS >> >> On Mon, Feb 8, 2010 at 10:35 AM, evilghost at packetmail.net >> wrote: >> >>> I liked having the two even though there would be some redundancy in >>> alerting because I could confidently block on "command|file|http" while >>> inspecting the latter "command|" for false positive potential. Thanks >>> for the identification Darren, I think we should update the nomenclature >>> as well. >>> >>> -evilghost >>> >>> Darren Spruell wrote: >>> >>>> On Mon, Feb 8, 2010 at 8:15 AM, evilghost at packetmail.net >>>> wrote: >>>> >>>> >>>>> Bot C&C response, unknown variant. Check-in parameters seem to vary but >>>>> response seems consistent. Signatures derived using GNU curl, there may >>>>> be some specific behaviors from infected clients not observed here. >>>>> There is no trailing CRLF after the instruction, only 7c. >>>>> >>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>>>> Bot C&C response, pipe-delimited, download instruction"; >>>>> flow:established,from_server; >>>>> content:"|0d 0a 0d 0a|command|7c|file|7c|http"; nocase; content:"|7c|"; >>>>> within:150; >>>>> classtype:trojan-activity; >>>>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>>>> sid:2010xxx; rev:1;) >>>>> >>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - >>>>> Bot C&C response, pipe-delimited, empty command"; >>>>> flow:established,from_server; >>>>> content:"|0d 0a 0d 0a|command|7c|"; nocase; >>>>> classtype:trojan-activity; >>>>> reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; >>>>> sid:2010xxx; rev:1;) >>>>> >>>>> Examples: >>>>> http://analystics.cn/ds/knock.php?win=WinXP&id=BEBAE9D&lip=127.0.0.1&s5=34921 >>>>> http://www.mybotnet.org/ddos/knock.php?win=WinXP&id=05091D2&lip=192.168.1.101&s5=4 >>>>> >>>>> >>>> Knocker/Knockbot. See 2008249. >>>> >>>> Maybe a rule update to "ET TROJAN Knockbot Proxy Response From >>>> Controller" to relate to the request? >>>> >>>> Also, the second rule above will also match on everything the first would. >>>> >>>> >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> >> >> > > From william.metcalf at gmail.com Fri Feb 12 12:49:26 2010 From: william.metcalf at gmail.com (Will Metcalf) Date: Fri, 12 Feb 2010 11:49:26 -0600 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. In-Reply-To: <4B758A51.50902@jonkmans.com> References: <4B758A51.50902@jonkmans.com> Message-ID: Hmmm here is another one that I don't think distance makes any sense for. there is no previous content match for "content:"CLSID"; nocase; distance:0; " alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit"; flow:to_client,established; content:"CLSID"; nocase; distance:0; content:"13B1B660-6516-4C8A-93C3-50E7EF524CFA"; nocase; distance:0; content:"DeleteFile"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5573; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008227; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete; sid:2008227; rev:35;) On Fri, Feb 12, 2010 at 11:05 AM, Matt Jonkman wrote: > You are correct. It's an old sig too, and the distance is totally > irrelevant. > > I suspect the original intent was to have the pcre relative to the end > of the content match, which we can make so with /R. > > I'll make that change unless I hear that anyone suspects it should be > different. > > Thanks Will! > > Matt > > On 2/12/10 11:27 AM, Will Metcalf wrote: >> I don't think the distance: 0; statement in the following sig makes >> any sense. ?There is no previous content match, and even if it was >> offset or something it still wouldn't make any sense. ? Maybe the >> intention was to add the relative pcre modifier?!?! >> >> alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT >> Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 >> 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; >> classtype:successful-dos; reference:bugtraq,28084; >> reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; >> reference:url,doc.emergingthreats.net/bin/view/Main/2007937; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; >> sid:2007937; rev:2;) >> >> 0000 ? 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ?...E:.......DSRe >> 0010 ? 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 ?quest.........AA >> 0020 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> 0030 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> 0040 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> 0050 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> 0060 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> 0070 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >> ..... >> >> Regards, >> >> Will >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > From william.metcalf at gmail.com Fri Feb 12 12:53:28 2010 From: william.metcalf at gmail.com (Will Metcalf) Date: Fri, 12 Feb 2010 11:53:28 -0600 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. In-Reply-To: References: <4B758A51.50902@jonkmans.com> Message-ID: This one alert udp any any -> any 41170 (msg:"ET P2P Manolito Search Query"; content:"|01 02 00|"; distance:16; depth:3; content:"FN"; distance:1; depth:2; classtype:policy-violation; reference:url,www.blubster.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster; sid:2003172; rev:3;) Shouldn't the first match be offset instead of distance? And the second match is this supposed to be within instead of depth? Regards, Will On Fri, Feb 12, 2010 at 11:49 AM, Will Metcalf wrote: > Hmmm here is another one that I don't think distance makes any sense > for. ?there is no previous content match for "content:"CLSID"; nocase; > distance:0; " > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure > Methods Exploit"; flow:to_client,established; content:"CLSID"; nocase; > distance:0; content:"13B1B660-6516-4C8A-93C3-50E7EF524CFA"; nocase; > distance:0; content:"DeleteFile"; nocase; distance:0; > reference:url,www.milw0rm.com/exploits/5573; > classtype:web-application-attack; > reference:url,doc.emergingthreats.net/2008227; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete; > sid:2008227; rev:35;) > > On Fri, Feb 12, 2010 at 11:05 AM, Matt Jonkman wrote: >> You are correct. It's an old sig too, and the distance is totally >> irrelevant. >> >> I suspect the original intent was to have the pcre relative to the end >> of the content match, which we can make so with /R. >> >> I'll make that change unless I hear that anyone suspects it should be >> different. >> >> Thanks Will! >> >> Matt >> >> On 2/12/10 11:27 AM, Will Metcalf wrote: >>> I don't think the distance: 0; statement in the following sig makes >>> any sense. ?There is no previous content match, and even if it was >>> offset or something it still wouldn't make any sense. ? Maybe the >>> intention was to add the relative pcre modifier?!?! >>> >>> alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT >>> Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 >>> 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; >>> classtype:successful-dos; reference:bugtraq,28084; >>> reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; >>> reference:url,doc.emergingthreats.net/bin/view/Main/2007937; >>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; >>> sid:2007937; rev:2;) >>> >>> 0000 ? 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ?...E:.......DSRe >>> 0010 ? 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 ?quest.........AA >>> 0020 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> 0030 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> 0040 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> 0050 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> 0060 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> 0070 ? 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ?AAAAAAAAAAAAAAAA >>> ..... >>> >>> Regards, >>> >>> Will >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> -- >> >> ---------------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinfosecfoundation.org >> ---------------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> > From jonkman at jonkmans.com Fri Feb 12 13:11:58 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Feb 2010 13:11:58 -0500 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. In-Reply-To: References: <4B758A51.50902@jonkmans.com> Message-ID: <4B7599EE.8070005@jonkmans.com> Fixing this up, and those you've sent privately as well. Thanks Will! Matt On 2/12/10 12:49 PM, Will Metcalf wrote: > Hmmm here is another one that I don't think distance makes any sense > for. there is no previous content match for "content:"CLSID"; nocase; > distance:0; " > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure > Methods Exploit"; flow:to_client,established; content:"CLSID"; nocase; > distance:0; content:"13B1B660-6516-4C8A-93C3-50E7EF524CFA"; nocase; > distance:0; content:"DeleteFile"; nocase; distance:0; > reference:url,www.milw0rm.com/exploits/5573; > classtype:web-application-attack; > reference:url,doc.emergingthreats.net/2008227; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete; > sid:2008227; rev:35;) > > On Fri, Feb 12, 2010 at 11:05 AM, Matt Jonkman wrote: >> You are correct. It's an old sig too, and the distance is totally >> irrelevant. >> >> I suspect the original intent was to have the pcre relative to the end >> of the content match, which we can make so with /R. >> >> I'll make that change unless I hear that anyone suspects it should be >> different. >> >> Thanks Will! >> >> Matt >> >> On 2/12/10 11:27 AM, Will Metcalf wrote: >>> I don't think the distance: 0; statement in the following sig makes >>> any sense. There is no previous content match, and even if it was >>> offset or something it still wouldn't make any sense. Maybe the >>> intention was to add the relative pcre modifier?!?! >>> >>> alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT >>> Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 >>> 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; >>> classtype:successful-dos; reference:bugtraq,28084; >>> reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; >>> reference:url,doc.emergingthreats.net/bin/view/Main/2007937; >>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; >>> sid:2007937; rev:2;) >>> >>> 0000 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ...E:.......DSRe >>> 0010 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 quest.........AA >>> 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> 0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> 0050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> 0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> 0070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>> ..... >>> >>> Regards, >>> >>> Will >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> -- >> >> ---------------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinfosecfoundation.org >> ---------------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Feb 12 13:14:34 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Feb 2010 13:14:34 -0500 Subject: [Emerging-Sigs] sid 2007937 invalid use of distance. In-Reply-To: References: <4B758A51.50902@jonkmans.com> Message-ID: <4B759A8A.70905@jonkmans.com> Ya, we have other manolito sigs, might let this go. Working... On 2/12/10 12:53 PM, Will Metcalf wrote: > This one > > alert udp any any -> any 41170 (msg:"ET P2P Manolito Search Query"; > content:"|01 02 00|"; distance:16; depth:3; content:"FN"; distance:1; > depth:2; classtype:policy-violation; reference:url,www.blubster.com; > reference:url,doc.emergingthreats.net/bin/view/Main/2003172; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster; > sid:2003172; rev:3;) > > Shouldn't the first match be offset instead of distance? And the > second match is this supposed to be within instead of depth? > > Regards, > > Will > > On Fri, Feb 12, 2010 at 11:49 AM, Will Metcalf > wrote: >> Hmmm here is another one that I don't think distance makes any sense >> for. there is no previous content match for "content:"CLSID"; nocase; >> distance:0; " >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET >> WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure >> Methods Exploit"; flow:to_client,established; content:"CLSID"; nocase; >> distance:0; content:"13B1B660-6516-4C8A-93C3-50E7EF524CFA"; nocase; >> distance:0; content:"DeleteFile"; nocase; distance:0; >> reference:url,www.milw0rm.com/exploits/5573; >> classtype:web-application-attack; >> reference:url,doc.emergingthreats.net/2008227; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete; >> sid:2008227; rev:35;) >> >> On Fri, Feb 12, 2010 at 11:05 AM, Matt Jonkman wrote: >>> You are correct. It's an old sig too, and the distance is totally >>> irrelevant. >>> >>> I suspect the original intent was to have the pcre relative to the end >>> of the content match, which we can make so with /R. >>> >>> I'll make that change unless I hear that anyone suspects it should be >>> different. >>> >>> Thanks Will! >>> >>> Matt >>> >>> On 2/12/10 11:27 AM, Will Metcalf wrote: >>>> I don't think the distance: 0; statement in the following sig makes >>>> any sense. There is no previous content match, and even if it was >>>> offset or something it still wouldn't make any sense. Maybe the >>>> intention was to add the relative pcre modifier?!?! >>>> >>>> alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT >>>> Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 >>>> 71 75 65 73 74|"; distance:0; pcre:"/[0-9a-zA-Z]{50,}/"; >>>> classtype:successful-dos; reference:bugtraq,28084; >>>> reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; >>>> reference:url,doc.emergingthreats.net/bin/view/Main/2007937; >>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; >>>> sid:2007937; rev:2;) >>>> >>>> 0000 00 00 10 45 3a 00 00 00 00 00 00 0a 44 53 52 65 ...E:.......DSRe >>>> 0010 71 75 65 73 74 00 ff ff ff ff 00 00 10 08 41 41 quest.........AA >>>> 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> 0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> 0050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> 0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> 0070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA >>>> ..... >>>> >>>> Regards, >>>> >>>> Will >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> -- >>> >>> ---------------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Open Information Security Foundation (OISF) >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> http://www.openinfosecfoundation.org >>> ---------------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >> -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mike.cox52 at gmail.com Fri Feb 12 14:22:45 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Fri, 12 Feb 2010 13:22:45 -0600 Subject: [Emerging-Sigs] ET POLICY Twitter Status Update Message-ID: <6116b9e21002121122p18c28aeu55db428a589bc949@mail.gmail.com> If we have Facebook chat rules, I guess we better have Twitter status update rules to catch those narcissistic privacy whores who can't help but showcase their life to the world: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; uricontent:"/status/update"; content:"twitter.com"; nocase; http_headers; content:"authenticity_token="; nocase; content:"status="; nocase; classtype:policy-violation; reference:url,twitter.com; sid:2010xxx; rev:1;) Sure, you could bypass this by not submitting Host and Referer headers but anyone competent enough to do that will find a way to Tweet [*sic*] even if we don't have the http_headers check for "twitter.com". -Mike Cox P.S. Joel, you might want to disable this one :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100212/6c42d9ee/attachment.html From emerging at emergingthreats.net Fri Feb 12 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 12 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100212210013.06A2E45058@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Feb 12 16:00:12 2010 [***] [///] Modified active rules: [///] 2001191 - ET EXPLOIT libPNG - Width exceeds limit (emerging-exploit.rules) 2001192 - ET EXPLOIT libPNG - Height exceeds limit (emerging-exploit.rules) 2001195 - ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT (emerging-exploit.rules) 2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (emerging-dos.rules) 2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (emerging-dos.rules) 2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (emerging-dos.rules) 2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (emerging-dos.rules) 2002927 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port (emerging-dos.rules) 2002928 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port (emerging-dos.rules) 2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (emerging-exploit.rules) 2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (emerging-exploit.rules) 2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (emerging-exploit.rules) 2009887 - ET WEB_SPECIFIC_APPS ProjectButler RFI attempt (emerging-web_specific_apps.rules) 2010787 - ET TROJAN Knockbot Proxy Response From Controller (emerging-virus.rules) 2010788 - ET TROJAN Knockbot Proxy Response From Controller (empty command) (emerging-virus.rules) [---] Removed rules: [---] 2003172 - ET P2P Manolito Search Query (emerging-p2p.rules) 2007850 - ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-web_client.rules) 2007906 - ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (emerging-game.rules) 2007907 - ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-web_client.rules) 2007936 - ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability (emerging-web_server.rules) 2008227 - ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit (emerging-web_client.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2010787 || ET TROJAN Knockbot Proxy Response From Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Knockbot Proxy Response From Controller (empty command) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php -> Added to emerging-sid-msg.map.txt (2): 2010787 || ET TROJAN Knockbot Proxy Response From Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Knockbot Proxy Response From Controller (empty command) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php -> Added to emerging-virus.rules (1): #by evilghost and darren spruell [---] Removed non-rule lines: [---] -> Removed from emerging-game.rules (1): #by Akash Mahajan at Stillsecure -> Removed from emerging-p2p.rules (1): #by Blake Hartstein -> Removed from emerging-sid-msg.map (40): 2003172 || ET P2P Manolito Search Query || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster || url,doc.emergingthreats.net/bin/view/Main/2003172 || url,www.blubster.com 2007850 || ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007850 || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Ourgame || url,doc.emergingthreats.net/bin/view/Main/2007906 || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153 2007907 || ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007907 || url,www.milw0rm.com/exploits/5190 2007936 || ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Netwin || url,doc.emergingthreats.net/2007936 || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt 2008227 || ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete || url,doc.emergingthreats.net/2008227 || url,www.milw0rm.com/exploits/5573 2010787 || ET TROJAN Bot C&C response - download instruction (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response - empty command (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (40): 2003172 || ET P2P Manolito Search Query || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster || url,doc.emergingthreats.net/bin/view/Main/2003172 || url,www.blubster.com 2007850 || ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007850 || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Ourgame || url,doc.emergingthreats.net/bin/view/Main/2007906 || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153 2007907 || ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007907 || url,www.milw0rm.com/exploits/5190 2007936 || ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Netwin || url,doc.emergingthreats.net/2007936 || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt 2008227 || ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete || url,doc.emergingthreats.net/2008227 || url,www.milw0rm.com/exploits/5573 2010787 || ET TROJAN Bot C&C response - download instruction (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Bot C&C response - empty command (pipe-delimited) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2500846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510846 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510847 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (424) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510848 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510849 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (425) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510850 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510851 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (426) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510852 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510853 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (427) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510854 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510855 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (428) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510856 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510857 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (429) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510858 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510859 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (430) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-web_server.rules (1): #by Akash Mahajan From phatbuckett at gmail.com Fri Feb 12 16:19:57 2010 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 12 Feb 2010 14:19:57 -0700 Subject: [Emerging-Sigs] disabling 2009024 ? In-Reply-To: <4B758B93.4060609@jonkmans.com> References: <4B754D88.9000304@ac-clermont.fr> <4B758B93.4060609@jonkmans.com> Message-ID: <839aec701002121319h3203023fxefa545211c8e2bcb@mail.gmail.com> We still have a few popping up here and there, mainly nonstandard systems. The pcre probably isn't picking up conficker.a (the \s at the end of the pattern wouldn't have matched on e.g.): 66.240.173.8/search?q=0&aq=7 202.134.108.51/search?q=12&aq=7 If it was to be kept, here's an option for a more restrictive pattern which is likely to reduce some FPs: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:9;) This also picks up these types of requests, although I don't know if this occurred commonly: 64.202.189.170/search?q=0&aq=7?6c708828 64.202.189.170/search?q=0&aq=7?a367aa30 64.202.189.170/search?q=7&aq=7?4e1c3840 DS On Fri, Feb 12, 2010 at 10:10 AM, Matt Jonkman wrote: > Hi Thierry. > > They were dropped because we thought we'd seen the end of variants a and > b. And because these sigs were VERY prone to false positive. But were > worth it at the time. > > Are you still seeing a and b infections being caught by these sigs? > > Matt > > On 2/12/10 7:46 AM, Thierry Chich wrote: >> Hello, >> >> Could someone explain me why the rule 2009024 ?(ET TROJAN >> Downadup/Conficker A or B Worm reporting) have been disabled ? I think >> it is a very curious choice, since it is one of the most usefull rule I >> had. >> There is a lot of PC infected, and Conficker is a very good friend for >> other viruses. The others rules are not working very well. Furthermore, >> the capture of the packet is giving me the IP of the infected PCs (field >> X-forwarded-for:). >> >> Thanks for an answer. >> >> Thierry. >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Darren Spruell phatbuckett at gmail.com From kevross33 at googlemail.com Fri Feb 12 20:38:45 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Sat, 13 Feb 2010 01:38:45 +0000 Subject: [Emerging-Sigs] SIGS: Cisco Collaboration Server XSS & VMware Directory Traversal Message-ID: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/38201; sid:12300001; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8222,8333] (msg:"ET WEB_SERVER Possible VMware Directory Traversal Attempt"; flow:established,to_server; uricontent:"/sdk/.."; nocase; pcre:"/\x2Fsdk\x2F\x2E\x2E(\x2E|\x2F)\x2E\x2E(\x2E|\x2F)/Ui"; classtype:attempted-recon; reference:cve,2009-3733; sid:12300002; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100213/25d66c7c/attachment.html From famousjs at gmail.com Fri Feb 12 23:52:14 2010 From: famousjs at gmail.com (Josh Smith) Date: Fri, 12 Feb 2010 23:52:14 -0500 Subject: [Emerging-Sigs] Matahari signature Message-ID: <4B762FFE.2010008@gmail.com> I'm sure this tool isn't too popular, but the concept behind it is pretty good. http://matahari.sourceforge.net/index.html Here is a signature I wrote that seems to detect it fine: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Matahari client"; flow:to_server,established; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/iR"; content:"Next|2d|Polling"; distance:0; http_header; classtype:trojan-activity; sid:9001; rev:6;) I haven't tried its "IDS evasion techniques"...but looking at the source code all that seems to do is randomize the polling times. -- Josh Smith Information Security & Forensics Rochester Institute of Technology From emerging at emergingthreats.net Sat Feb 13 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 13 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100213210013.9655C45052@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 13 16:00:13 2010 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (20): 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2404054 || ET DROP Known Bot C&C Server Traffic TCP (group 28) || url,www.shadowserver.org 2404055 || ET DROP Known Bot C&C Server Traffic UDP (group 28) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405054 || ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405055 || ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (20): 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2404054 || ET DROP Known Bot C&C Server Traffic TCP (group 28) || url,www.shadowserver.org 2404055 || ET DROP Known Bot C&C Server Traffic UDP (group 28) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405054 || ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405055 || ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org From emerging at emergingthreats.net Sat Feb 13 18:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 13 Feb 2010 18:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20100213230014.1B6D345058@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 13 18:00:13 2010 [***] [+++] Added rules: [+++] 2010771 - ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010772 - ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010773 - ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010774 - ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010775 - ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010776 - ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010777 - ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010778 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 (emerging-web_client.rules) 2010779 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 (emerging-web_client.rules) 2010780 - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt (emerging-web_specific_apps.rules) 2010781 - ET POLICY PsExec service created (emerging-policy.rules) 2010782 - ET POLICY RemoteControlX rctrlx service created (emerging-policy.rules) 2010783 - ET EXPLOIT GsecDump executed (emerging-exploit.rules) 2010784 - ET POLICY Facebook Chat (send message) (emerging-policy.rules) 2010785 - ET POLICY Facebook Chat (buddy list) (emerging-policy.rules) 2010786 - ET POLICY Facebook Chat (settings) (emerging-policy.rules) 2010787 - ET TROJAN Knockbot Proxy Response From Controller (emerging-virus.rules) 2010788 - ET TROJAN Knockbot Proxy Response From Controller (empty command) (emerging-virus.rules) 2010789 - ET TROJAN SpyBye Bot Checkin (emerging-virus.rules) 2010790 - ET TROJAN Bredavi Configuration Update Response (emerging-virus.rules) 2010791 - ET TROJAN Bredavi Checkin (emerging-virus.rules) 2010792 - ET TROJAN Bredavi Proxy Registration (emerging-virus.rules) 2010793 - ET TROJAN Bredavi Binary Download Request (emerging-virus.rules) [///] Modified active rules: [///] 2001191 - ET EXPLOIT libPNG - Width exceeds limit (emerging-exploit.rules) 2001192 - ET EXPLOIT libPNG - Height exceeds limit (emerging-exploit.rules) 2001195 - ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT (emerging-exploit.rules) 2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (emerging-dos.rules) 2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (emerging-dos.rules) 2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (emerging-dos.rules) 2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (emerging-dos.rules) 2002927 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port (emerging-dos.rules) 2002928 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port (emerging-dos.rules) 2007743 - ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin (emerging-virus.rules) 2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (emerging-exploit.rules) 2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (emerging-exploit.rules) 2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (emerging-exploit.rules) 2008411 - ET TROJAN LDPinch SMTP Password Report with mail client The Bat! (emerging-virus.rules) 2009887 - ET WEB_SPECIFIC_APPS ProjectButler RFI attempt (emerging-web_specific_apps.rules) 2010071 - ET TROJAN Hiloti/Mufanom Downloader Checkin (emerging-virus.rules) 2010642 - ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt (emerging-scan.rules) 2010643 - ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt (emerging-scan.rules) 2010729 - ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php) (emerging-current_events.rules) 2010743 - ET TROJAN Oficla Checkin (1) (emerging-virus.rules) 2010764 - ET TROJAN Oficla Checkin (2) (emerging-virus.rules) 2010765 - ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) (emerging-virus.rules) 2010766 - ET POLICY Proxy TRACE Request - inbound (emerging-policy.rules) 2010767 - ET POLICY TRACE Request - outbound (emerging-policy.rules) 2010768 - WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) (emerging-user_agents.rules) 2010770 - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt (emerging-web_specific_apps.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2402001 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2403001 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic TCP (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic UDP (group 1) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic TCP (group 2) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic UDP (group 2) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic TCP (group 3) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic UDP (group 3) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic TCP (group 4) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic UDP (group 4) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic TCP (group 5) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic UDP (group 5) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic TCP (group 6) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic UDP (group 6) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic TCP (group 7) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic UDP (group 7) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic TCP (group 8) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic UDP (group 8) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic TCP (group 9) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic UDP (group 9) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic TCP (group 10) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic UDP (group 10) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic TCP (group 11) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic UDP (group 11) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic TCP (group 12) (emerging-botcc.rules) 2404023 - ET DROP Known Bot C&C Server Traffic UDP (group 12) (emerging-botcc.rules) 2404024 - ET DROP Known Bot C&C Server Traffic TCP (group 13) (emerging-botcc.rules) 2404025 - ET DROP Known Bot C&C Server Traffic UDP (group 13) (emerging-botcc.rules) 2404026 - ET DROP Known Bot C&C Server Traffic TCP (group 14) (emerging-botcc.rules) 2404027 - ET DROP Known Bot C&C Server Traffic UDP (group 14) (emerging-botcc.rules) 2404028 - ET DROP Known Bot C&C Server Traffic TCP (group 15) (emerging-botcc.rules) 2404029 - ET DROP Known Bot C&C Server Traffic UDP (group 15) (emerging-botcc.rules) 2404030 - ET DROP Known Bot C&C Server Traffic TCP (group 16) (emerging-botcc.rules) 2404031 - ET DROP Known Bot C&C Server Traffic UDP (group 16) (emerging-botcc.rules) 2404032 - ET DROP Known Bot C&C Server Traffic TCP (group 17) (emerging-botcc.rules) 2404033 - ET DROP Known Bot C&C Server Traffic UDP (group 17) (emerging-botcc.rules) 2404034 - ET DROP Known Bot C&C Server Traffic TCP (group 18) (emerging-botcc.rules) 2404035 - ET DROP Known Bot C&C Server Traffic UDP (group 18) (emerging-botcc.rules) 2404036 - ET DROP Known Bot C&C Server Traffic TCP (group 19) (emerging-botcc.rules) 2404037 - ET DROP Known Bot C&C Server Traffic UDP (group 19) (emerging-botcc.rules) 2404038 - ET DROP Known Bot C&C Server Traffic TCP (group 20) (emerging-botcc.rules) 2404039 - ET DROP Known Bot C&C Server Traffic UDP (group 20) (emerging-botcc.rules) 2404040 - ET DROP Known Bot C&C Server Traffic TCP (group 21) (emerging-botcc.rules) 2404041 - ET DROP Known Bot C&C Server Traffic UDP (group 21) (emerging-botcc.rules) 2404042 - ET DROP Known Bot C&C Server Traffic TCP (group 22) (emerging-botcc.rules) 2404043 - ET DROP Known Bot C&C Server Traffic UDP (group 22) (emerging-botcc.rules) 2404044 - ET DROP Known Bot C&C Server Traffic TCP (group 23) (emerging-botcc.rules) 2404045 - ET DROP Known Bot C&C Server Traffic UDP (group 23) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405023 - ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405024 - ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405025 - ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405026 - ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405027 - ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405028 - ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405029 - ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405030 - ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405031 - ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405032 - ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405033 - ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405034 - ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405035 - ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405036 - ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405037 - ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405038 - ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405039 - ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405040 - ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405041 - ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405042 - ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405043 - ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405044 - ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405045 - ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [---] Disabled and modified rules: [---] 2010769 - ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt (emerging-current_events.rules) [---] Removed rules: [---] 2003172 - ET P2P Manolito Search Query (emerging-p2p.rules) 2007745 - ET TROJAN Parite.B HTTP Download Detected (emerging-virus.rules) 2007850 - ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-web_client.rules) 2007906 - ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (emerging-game.rules) 2007907 - ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-web_client.rules) 2007936 - ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability (emerging-web_server.rules) 2008227 - ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit (emerging-web_client.rules) 2010545 - ET TROJAN Unknown Fake AV Checkin (emerging-virus.rules) 2404046 - ET DROP Known Bot C&C Server Traffic TCP (group 24) (emerging-botcc.rules) 2404047 - ET DROP Known Bot C&C Server Traffic UDP (group 24) (emerging-botcc.rules) 2404048 - ET DROP Known Bot C&C Server Traffic TCP (group 25) (emerging-botcc.rules) 2404049 - ET DROP Known Bot C&C Server Traffic UDP (group 25) (emerging-botcc.rules) 2404050 - ET DROP Known Bot C&C Server Traffic TCP (group 26) (emerging-botcc.rules) 2404051 - ET DROP Known Bot C&C Server Traffic UDP (group 26) (emerging-botcc.rules) 2404052 - ET DROP Known Bot C&C Server Traffic TCP (group 27) (emerging-botcc.rules) 2404053 - ET DROP Known Bot C&C Server Traffic UDP (group 27) (emerging-botcc.rules) 2404054 - ET DROP Known Bot C&C Server Traffic TCP (group 28) (emerging-botcc.rules) 2404055 - ET DROP Known Bot C&C Server Traffic UDP (group 28) (emerging-botcc.rules) 2404056 - ET DROP Known Bot C&C Server Traffic TCP (group 29) (emerging-botcc.rules) 2404057 - ET DROP Known Bot C&C Server Traffic UDP (group 29) (emerging-botcc.rules) 2405046 - ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405047 - ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405048 - ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405049 - ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405050 - ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405051 - ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405052 - ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405053 - ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405054 - ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405055 - ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405056 - ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405057 - ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1814 # Generated 2010-02-13 00:03:03 EDT -> Added to emerging-drop.rules (2): # VERSION 1814 # Generated 2010-02-13 00:03:03 EDT -> Added to emerging-exploit.rules (2): #by rich rumble #GsecDump rule -> Added to emerging-policy.rules (4): #by SpOoKeR #by rich rumble #PsExec for lan #RctrlX -> Added to emerging-sid-msg.map (35): 2007743 || ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 || url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d || url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D || url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2 2010071 || ET TROJAN Hiloti/Mufanom Downloader Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010743 || ET TROJAN Oficla Checkin (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010764 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2010765 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,doc.emergingthreats.net/2010766 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,doc.emergingthreats.net/2010767 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webcollage || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE || url,doc.emergingthreats.net/2010769 || cve,2010-0255 || url,www.microsoft.com/technet/security/advisory/980088.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_HP_System_Manager || url,doc.emergingthreats.net/2010770 || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2010771 || ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010771 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010772 || ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010772 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010773 || ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010773 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010774 || ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010774 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010775 || ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010775 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010776 || ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010776 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010777 || ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010777 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010778 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010778 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010779 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010779 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010780 || ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010780 || bugtraq,37440 2010781 || ET POLICY PsExec service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010781 || url,xinn.org/Snort-psexec.html 2010782 || ET POLICY RemoteControlX rctrlx service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010782 || url,xinn.org/Snort-rctrlx.html 2010783 || ET EXPLOIT GsecDump executed || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump || url,doc.emergingthreats.net/2010783 || url,xinn.org/Snort-gsecdump.html 2010784 || ET POLICY Facebook Chat (send message) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010784 2010785 || ET POLICY Facebook Chat (buddy list) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010785 2010786 || ET POLICY Facebook Chat (settings) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010786 2010787 || ET TROJAN Knockbot Proxy Response From Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Knockbot Proxy Response From Controller (empty command) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_SpyBye || url,doc.emergingthreats.net/2010789 || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2010790 || ET TROJAN Bredavi Configuration Update Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010790 2010791 || ET TROJAN Bredavi Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010791 2010792 || ET TROJAN Bredavi Proxy Registration || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010792 2010793 || ET TROJAN Bredavi Binary Download Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010793 -> Added to emerging-sid-msg.map.txt (35): 2007743 || ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 || url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d || url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D || url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2 2010071 || ET TROJAN Hiloti/Mufanom Downloader Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010743 || ET TROJAN Oficla Checkin (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010743 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla || url,doc.emergingthreats.net/2010764 || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Socks || url,doc.emergingthreats.net/2010765 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,doc.emergingthreats.net/2010766 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,doc.emergingthreats.net/2010767 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webcollage || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE || url,doc.emergingthreats.net/2010769 || cve,2010-0255 || url,www.microsoft.com/technet/security/advisory/980088.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_HP_System_Manager || url,doc.emergingthreats.net/2010770 || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2010771 || ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010771 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010772 || ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010772 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010773 || ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010773 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010774 || ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010774 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010775 || ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010775 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010776 || ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010776 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010777 || ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_asaher || url,doc.emergingthreats.net/2010777 || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt 2010778 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010778 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010779 || ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010779 || url,www.kb.cert.org/vuls/id/589097 || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,secunia.com/advisories/24692/ 2010780 || ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010780 || bugtraq,37440 2010781 || ET POLICY PsExec service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010781 || url,xinn.org/Snort-psexec.html 2010782 || ET POLICY RemoteControlX rctrlx service created || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools || url,doc.emergingthreats.net/2010782 || url,xinn.org/Snort-rctrlx.html 2010783 || ET EXPLOIT GsecDump executed || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump || url,doc.emergingthreats.net/2010783 || url,xinn.org/Snort-gsecdump.html 2010784 || ET POLICY Facebook Chat (send message) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010784 2010785 || ET POLICY Facebook Chat (buddy list) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010785 2010786 || ET POLICY Facebook Chat (settings) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat || url,doc.emergingthreats.net/2010786 2010787 || ET TROJAN Knockbot Proxy Response From Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010787 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010788 || ET TROJAN Knockbot Proxy Response From Controller (empty command) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown || url,doc.emergingthreats.net/2010788 || url,www.malwaredomainlist.com/mdl.php?search=knock.php 2010789 || ET TROJAN SpyBye Bot Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_SpyBye || url,doc.emergingthreats.net/2010789 || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot 2010790 || ET TROJAN Bredavi Configuration Update Response || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010790 2010791 || ET TROJAN Bredavi Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010791 2010792 || ET TROJAN Bredavi Proxy Registration || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010792 2010793 || ET TROJAN Bredavi Binary Download Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi || url,doc.emergingthreats.net/2010793 -> Added to emerging-virus.rules (2): #matt jonkman from sandnet data, updated by darren spruell #by evilghost and darren spruell -> Added to emerging-web_specific_apps.rules (1): #by strillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1807 # Generated 2010-02-06 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1807 # Generated 2010-02-06 00:03:02 EDT -> Removed from emerging-game.rules (1): #by Akash Mahajan at Stillsecure -> Removed from emerging-p2p.rules (1): #by Blake Hartstein -> Removed from emerging-sid-msg.map (44): 2003172 || ET P2P Manolito Search Query || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster || url,doc.emergingthreats.net/bin/view/Main/2003172 || url,www.blubster.com 2007743 || ET TROJAN Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 2007745 || ET TROJAN Parite.B HTTP Download Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite || url,doc.emergingthreats.net/2007745 2007850 || ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007850 || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Ourgame || url,doc.emergingthreats.net/bin/view/Main/2007906 || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153 2007907 || ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007907 || url,www.milw0rm.com/exploits/5190 2007936 || ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Netwin || url,doc.emergingthreats.net/2007936 || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt 2008227 || ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete || url,doc.emergingthreats.net/2008227 || url,www.milw0rm.com/exploits/5573 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010545 || ET TROJAN Unknown Fake AV Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010545 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2404054 || ET DROP Known Bot C&C Server Traffic TCP (group 28) || url,www.shadowserver.org 2404055 || ET DROP Known Bot C&C Server Traffic UDP (group 28) || url,www.shadowserver.org 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405054 || ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405055 || ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (44): 2003172 || ET P2P Manolito Search Query || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blubster || url,doc.emergingthreats.net/bin/view/Main/2003172 || url,www.blubster.com 2007743 || ET TROJAN Dialer.qn HTTP Request - Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2007743 2007745 || ET TROJAN Parite.B HTTP Download Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Parite || url,doc.emergingthreats.net/2007745 2007850 || ET WEB_CLIENT ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007850 || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Ourgame || url,doc.emergingthreats.net/bin/view/Main/2007906 || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153 2007907 || ET WEB_CLIENT ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Move_Networks || url,doc.emergingthreats.net/2007907 || url,www.milw0rm.com/exploits/5190 2007936 || ET WEB_SERVER Netwin Webmail SurgeMail Mail Server Format String Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Netwin || url,doc.emergingthreats.net/2007936 || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt 2008227 || ET WEB_CLIENT ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Secure_File_Delete || url,doc.emergingthreats.net/2008227 || url,www.milw0rm.com/exploits/5573 2010071 || ET TROJAN Hiloti/Mufanom Infection Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010071 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A 2010545 || ET TROJAN Unknown Fake AV Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010545 2010642 || ET SCAN Multiple FTP Root Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010642 2010643 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source, Possible Brute Force Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force || url,doc.emergingthreats.net/2010643 2010743 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010764 || ET TROJAN Oficla Checkin (2) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c 2010765 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B 2010766 || ET POLICY Proxy TRACE Request - inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010767 || ET POLICY TRACE Request - outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy 2010768 || WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 2010769 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer Dynamic Object Tag Information Disclosure Attempt || cve,2010-0255 || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag 2010770 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || cve,2009-4185 || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2404054 || ET DROP Known Bot C&C Server Traffic TCP (group 28) || url,www.shadowserver.org 2404055 || ET DROP Known Bot C&C Server Traffic UDP (group 28) || url,www.shadowserver.org 2404056 || ET DROP Known Bot C&C Server Traffic TCP (group 29) || url,www.shadowserver.org 2404057 || ET DROP Known Bot C&C Server Traffic UDP (group 29) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405054 || ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405055 || ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2405056 || ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org 2405057 || ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-virus.rules (2): #matt jonkman from sandnet data #based on clamav info, by matt Jonkman -> Removed from emerging-web_server.rules (1): #by Akash Mahajan From thierry.chich at ac-clermont.fr Sun Feb 14 02:29:01 2010 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Sun, 14 Feb 2010 08:29:01 +0100 Subject: [Emerging-Sigs] disabling 2009024 ? In-Reply-To: <4B758B93.4060609@jonkmans.com> References: <4B754D88.9000304@ac-clermont.fr> <4B758B93.4060609@jonkmans.com> Message-ID: Le 12 f?vr. 2010 ? 18:10, Matt Jonkman a ?crit : > Hi Thierry. > > They were dropped because we thought we'd seen the end of variants a > and > b. And because these sigs were VERY prone to false positive. But were > worth it at the time. > > Are you still seeing a and b infections being caught by these sigs? Hi Matt, You couldn't believe it if you see it. There is a lot of conficker active yet. However, i have read again the rule and i see why you say it is very pr?ne to FP. But I think we could improve it very easily. By the way, all the alert I see have a particularity: the URL never contains an Fqdn. It is always an ip address. I think a simple modification l'?le this should do the trick: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"\d/\/search \?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html ; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ; sid:2009024; rev:6;) Thierry > Matt > > On 2/12/10 7:46 AM, Thierry Chich wrote: >> Hello, >> >> Could someone explain me why the rule 2009024 (ET TROJAN >> Downadup/Conficker A or B Worm reporting) have been disabled ? I >> think >> it is a very curious choice, since it is one of the most usefull >> rule I >> had. >> There is a lot of PC infected, and Conficker is a very good friend >> for >> other viruses. The others rules are not working very well. >> Furthermore, >> the capture of the packet is giving me the IP of the infected PCs >> (field >> X-forwarded-for:). >> >> Thanks for an answer. >> >> Thierry. >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100214/1b3e82ae/attachment.html From inurbitz at yahoo.com Sun Feb 14 11:21:04 2010 From: inurbitz at yahoo.com (Packet Hack) Date: Sun, 14 Feb 2010 08:21:04 -0800 (PST) Subject: [Emerging-Sigs] Update to sig 2010337 Message-ID: <866783.60521.qm@web113708.mail.gq1.yahoo.com> Apologies for responding to myself. We've just run across yet another variant posting to /bbgfvdfv.php Below are sigs in the same vein as some of the other FakeAV rules. The last 2 could replace (or one could become) 2010337 . --pkthck ------------------------ /etc/snort/rules/emerging/emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/bbgfvdfv.php?data="; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; reference:url,www.threatexpert.com/report.aspx?md5=9be07b5a190500bd905af607753f7656; sid:XXXXXXX; rev:1; ) /etc/snort/rules/emerging/emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/borders.php"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; reference:url,www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7; reference:url,www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab; sid:XXXXXXX; rev:1; ) /etc/snort/rules/emerging/emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/resolution.php"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; reference:url,www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7; reference:url,www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab; sid:XXXXXXX; rev:1; ) ________________________________ From: Packet Hack To: emerging-sigs at emergingthreats.net Sent: Wed, February 10, 2010 2:40:02 PM Subject: Update to sig 2010337 Ran across some POSTS to /borders.php. Looks very similar to the FakeAV URLs found here: http://www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7 http://www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab including the payload in the form data=/CjEfcWB[...] that we see so often in the POSTS to the .gif URLs, e.g. http://grandgoodarts.com/werber/d4958022902/217.gif Think it's safe to say these are FakeAV. --pkthck -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100214/938f277b/attachment.html From shyaam at gmail.com Sun Feb 14 13:35:07 2010 From: shyaam at gmail.com (Shyaam) Date: Sun, 14 Feb 2010 18:35:07 +0000 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> <4B703611.9030507@packetmail.net> Message-ID: The Tao of Signature Writing - Part 3 has published. http://sign.kaffenews.com/ Shyaam On Mon, Feb 8, 2010 at 4:06 PM, Joel Esler wrote: > Excellent. Thanks. > > ;) > > J > > On Feb 8, 2010, at 11:04 AM, evilghost at packetmail.net wrote: > > > For Joel: > > > > curl -o - http://sign.kaffenews.com/|sed's/signature/rule/gi' > > > pedantic.html && firefox pedantic.html > > > > Verified working. > > > > -evilghost > > > > > > Joel Esler wrote: > >> Snort shouldn't have signatures. It should have rules. > >> > >> Signatures look for "x". > >> > >> Rules are a combination of modeling the protocol and looking for "x", > providing a very low false positive rate. > >> > >> Semantics, maybe, but that's what sets Snort's detection language away > from the rest. > >> > >> J > >> > >> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > >> > >> > >>> http://sign.kaffenews.com/ > >>> > >>> Interesting article on signature writing. > >>> > >>> Matt > >>> > >>> ---------------------------------------------------- > >>> Matthew Jonkman > >>> Emerging Threats > >>> Open Information Security Foundation (OISF) > >>> Phone 765-429-0398 > >>> Fax 312-264-0205 > >>> http://www.emergingthreats.net > >>> http://www.openinfosecfoundation.org > >>> ---------------------------------------------------- > >>> > >>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > >>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>> > >> > >> -- > >> Joel Esler > >> 302-223-5974 > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > Joel Esler > 302-223-5974 > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100214/9662caa1/attachment.html From bamm.visscher at gmail.com Sun Feb 14 14:35:32 2010 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Sun, 14 Feb 2010 14:35:32 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> Message-ID: <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> Rule and signature have been used to mean the same thing when talking about snort since like forever. Defining a difference between the two might make a slick looking PPT on your sales calls, but do you really think it's worth pointing out in a forum like this? ;) Bamm On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: > Snort shouldn't have signatures. ?It should have rules. > > Signatures look for "x". > > Rules are a combination of modeling the protocol and looking for "x", providing a very low false positive rate. > > Semantics, maybe, but that's what sets Snort's detection language away from the rest. > > J > > On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > >> http://sign.kaffenews.com/ >> >> Interesting article on signature writing. >> >> Matt >> >> ---------------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinfosecfoundation.org >> ---------------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > Joel Esler > 302-223-5974 > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- sguil - The Analyst Console for NSM http://sguil.sf.net From greg at netpublishing.com Sun Feb 14 14:51:29 2010 From: greg at netpublishing.com (Gregory W. MacPherson) Date: Sun, 14 Feb 2010 11:51:29 -0800 Subject: [Emerging-Sigs] Good Article In-Reply-To: <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> Message-ID: <20100214195129.GC74260@b2.datasieve.net> hair->split(); =;^) On or about 2010.02.14 14:35:32 +0000, Bamm Visscher (bamm.visscher at gmail.com) said: > Rule and signature have been used to mean the same thing when talking > about snort since like forever. Defining a difference between the two > might make a slick looking PPT on your sales calls, but do you really > think it's worth pointing out in a forum like this? ;) > > > > Bamm > > On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: > > Snort shouldn't have signatures. ?It should have rules. > > > > Signatures look for "x". > > > > Rules are a combination of modeling the protocol and looking for "x", providing a very low false positive rate. > > > > Semantics, maybe, but that's what sets Snort's detection language away from the rest. > > > > J > > > > On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > > > >> http://sign.kaffenews.com/ > >> > >> Interesting article on signature writing. > >> > >> Matt > >> > >> ---------------------------------------------------- > >> Matthew Jonkman > >> Emerging Threats > >> Open Information Security Foundation (OISF) > >> Phone 765-429-0398 > >> Fax 312-264-0205 > >> http://www.emergingthreats.net > >> http://www.openinfosecfoundation.org > >> ---------------------------------------------------- > >> > >> PGP: http://www.jonkmans.com/mattjonkman.asc > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > -- > > Joel Esler > > 302-223-5974 > > > > > > > > > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > > > -- > sguil - The Analyst Console for NSM > http://sguil.sf.net > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html -- Gregory W. MacPherson Global Network Exploitation Specialist, CISSP, Security+, ITIL http://www.netpublishing.com/greg/ From eslerj at gmail.com Sun Feb 14 15:26:51 2010 From: eslerj at gmail.com (Joel Esler) Date: Sun, 14 Feb 2010 15:26:51 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <20100214195129.GC74260@b2.datasieve.net> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> Message-ID: <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> Bamm -- Yes. Thanks. -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" wrote: > hair->split(); > > =;^) > > On or about 2010.02.14 14:35:32 +0000, Bamm Visscher (bamm.visscher at gmail.com > ) said: > >> Rule and signature have been used to mean the same thing when talking >> about snort since like forever. Defining a difference between the two >> might make a slick looking PPT on your sales calls, but do you really >> think it's worth pointing out in a forum like this? ;) >> >> >> >> Bamm >> >> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: >>> Snort shouldn't have signatures. ?It should have rules. >>> >>> Signatures look for "x". >>> >>> Rules are a combination of modeling the protocol and looking for >>> "x", providing a very low false positive rate. >>> >>> Semantics, maybe, but that's what sets Snort's detection language >>> away from the rest. >>> >>> J >>> >>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: >>> >>>> http://sign.kaffenews.com/ >>>> >>>> Interesting article on signature writing. >>>> >>>> Matt >>>> >>>> ---------------------------------------------------- >>>> Matthew Jonkman >>>> Emerging Threats >>>> Open Information Security Foundation (OISF) >>>> Phone 765-429-0398 >>>> Fax 312-264-0205 >>>> http://www.emergingthreats.net >>>> http://www.openinfosecfoundation.org >>>> ---------------------------------------------------- >>>> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>> and Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> -- >>> Joel Esler >>> 302-223-5974 >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>> and Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> >> -- >> sguil - The Analyst Console for NSM >> http://sguil.sf.net >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > -- > Gregory W. MacPherson > Global Network Exploitation Specialist, CISSP, Security+, ITIL > http://www.netpublishing.com/greg/ From shyaam at gmail.com Sun Feb 14 15:30:33 2010 From: shyaam at gmail.com (Shyaam) Date: Sun, 14 Feb 2010 20:30:33 +0000 Subject: [Emerging-Sigs] Good Article In-Reply-To: <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> Message-ID: Come on guys! Give Joel a break... What he said was somewhat right that rules are better than signatures, although at some point signature became rulesets... similar to how we ask a person "did you xerox the documents" instead of "did you copy the documents". Or something like "did you google it" instead of "did you search for it". Anyways! I think everyone is on the same boat and lets continue with something more meaningful than putting each other down :) just my 2 cents... Shyaam On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: > Bamm -- > > Yes. > > Thanks. > > -- > Joel Esler > 302-223-5974 > Sent from my iPhone > > On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" < > greg at netpublishing.com > > wrote: > > > hair->split(); > > > > =;^) > > > > On or about 2010.02.14 14:35:32 +0000, Bamm Visscher ( > bamm.visscher at gmail.com > > ) said: > > > >> Rule and signature have been used to mean the same thing when talking > >> about snort since like forever. Defining a difference between the two > >> might make a slick looking PPT on your sales calls, but do you really > >> think it's worth pointing out in a forum like this? ;) > >> > >> > >> > >> Bamm > >> > >> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: > >>> Snort shouldn't have signatures. ?It should have rules. > >>> > >>> Signatures look for "x". > >>> > >>> Rules are a combination of modeling the protocol and looking for > >>> "x", providing a very low false positive rate. > >>> > >>> Semantics, maybe, but that's what sets Snort's detection language > >>> away from the rest. > >>> > >>> J > >>> > >>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > >>> > >>>> http://sign.kaffenews.com/ > >>>> > >>>> Interesting article on signature writing. > >>>> > >>>> Matt > >>>> > >>>> ---------------------------------------------------- > >>>> Matthew Jonkman > >>>> Emerging Threats > >>>> Open Information Security Foundation (OISF) > >>>> Phone 765-429-0398 > >>>> Fax 312-264-0205 > >>>> http://www.emergingthreats.net > >>>> http://www.openinfosecfoundation.org > >>>> ---------------------------------------------------- > >>>> > >>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>>> and Lanyards > >>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>> > >>> -- > >>> Joel Esler > >>> 302-223-5974 > >>> > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>> and Lanyards > >>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>> > >> > >> > >> > >> -- > >> sguil - The Analyst Console for NSM > >> http://sguil.sf.net > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >> and Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > -- > > Gregory W. MacPherson > > Global Network Exploitation Specialist, CISSP, Security+, ITIL > > http://www.netpublishing.com/greg/ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100214/7ac81c56/attachment-0001.html From eslerj at gmail.com Sun Feb 14 15:41:55 2010 From: eslerj at gmail.com (Joel Esler) Date: Sun, 14 Feb 2010 15:41:55 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> Message-ID: Shyaam, Thanks. Bamm wasn't disagreeing with me, he's just busting my chops. -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 14, 2010, at 3:30 PM, Shyaam wrote: > Come on guys! Give Joel a break... What he said was somewhat right > that rules are better than signatures, although at some point > signature became rulesets... similar to how we ask a person "did you > xerox the documents" instead of "did you copy the documents". Or > something like "did you google it" instead of "did you search for > it". Anyways! I think everyone is on the same boat and lets continue > with something more meaningful than putting each other down :) just > my 2 cents... > > Shyaam > > On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: > Bamm -- > > Yes. > > Thanks. > > -- > Joel Esler > 302-223-5974 > Sent from my iPhone > > On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" > wrote: > > > hair->split(); > > > > =;^) > > > > On or about 2010.02.14 14:35:32 +0000, Bamm Visscher (bamm.visscher at gmail.com > > ) said: > > > >> Rule and signature have been used to mean the same thing when > talking > >> about snort since like forever. Defining a difference between the > two > >> might make a slick looking PPT on your sales calls, but do you > really > >> think it's worth pointing out in a forum like this? ;) > >> > >> > >> > >> Bamm > >> > >> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler > wrote: > >>> Snort shouldn't have signatures. ?It should have rules. > >>> > >>> Signatures look for "x". > >>> > >>> Rules are a combination of modeling the protocol and looking for > >>> "x", providing a very low false positive rate. > >>> > >>> Semantics, maybe, but that's what sets Snort's detection language > >>> away from the rest. > >>> > >>> J > >>> > >>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > >>> > >>>> http://sign.kaffenews.com/ > >>>> > >>>> Interesting article on signature writing. > >>>> > >>>> Matt > >>>> > >>>> ---------------------------------------------------- > >>>> Matthew Jonkman > >>>> Emerging Threats > >>>> Open Information Security Foundation (OISF) > >>>> Phone 765-429-0398 > >>>> Fax 312-264-0205 > >>>> http://www.emergingthreats.net > >>>> http://www.openinfosecfoundation.org > >>>> ---------------------------------------------------- > >>>> > >>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>>> and Lanyards > >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>> > >>> -- > >>> Joel Esler > >>> 302-223-5974 > >>> > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>> and Lanyards > >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>> > >> > >> > >> > >> -- > >> sguil - The Analyst Console for NSM > >> http://sguil.sf.net > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >> and Lanyards > >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > -- > > Gregory W. MacPherson > > Global Network Exploitation Specialist, CISSP, Security+, ITIL > > http://www.netpublishing.com/greg/ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > -- > Thank you in advance for your time and consideration. > Kind Regards, > Shyaam Sundhar R.S. > www.EvilFingers.com > www.RootkitAnalytics.com > > > Certs: > GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, > GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100214/f35a523a/attachment.html From emerging at emergingthreats.net Sun Feb 14 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 14 Feb 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100214210013.8612245055@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Feb 14 16:00:13 2010 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (16): 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (16): 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (64): 2500814 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500815 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500816 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500817 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500818 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500819 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500820 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500821 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500822 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500823 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500824 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500825 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500826 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500827 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500828 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500829 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500830 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500831 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500832 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500833 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500834 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500835 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500836 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500837 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500838 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500839 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500840 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500841 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500842 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500843 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510814 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510815 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510816 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510817 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510818 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510819 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510820 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510821 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510822 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510823 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510824 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510825 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510826 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510827 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510828 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510829 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510830 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510831 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510832 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510833 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510834 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510835 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510836 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510837 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510838 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510839 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510840 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510841 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510842 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510843 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (64): 2500814 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500815 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500816 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500817 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500818 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500819 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500820 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500821 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500822 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500823 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500824 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500825 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500826 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500827 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500828 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500829 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500830 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500831 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500832 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500833 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500834 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500835 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500836 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500837 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500838 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500839 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500840 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500841 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500842 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500843 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510814 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510815 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (408) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510816 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510817 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (409) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510818 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510819 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (410) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510820 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510821 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (411) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510822 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510823 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (412) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510824 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510825 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (413) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510826 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510827 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (414) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510828 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510829 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (415) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510830 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510831 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (416) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510832 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510833 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (417) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510834 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510835 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (418) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510836 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510837 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (419) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510838 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510839 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (420) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510840 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510841 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (421) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510842 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510843 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (422) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510844 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510845 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (423) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From bamm.visscher at gmail.com Sun Feb 14 17:07:50 2010 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Sun, 14 Feb 2010 17:07:50 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> Message-ID: <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> Yeah, that was a lot of chop busting laced with a little seriousness. Snort's flexibility and openess is its greatest asset. I am just glad to see the community at large still taking an interest in Snort and putting forth the effort to help others. Signatures/rules are an odd beast. The worlds ugliest and simplest sig could be the one that saves your arse. And depending on the threat, the awesome "rule" that detects some zero day in MS RPC could be useless and wasting CPU cycles. Bamm P.S. Don't worry about Joel. He gets his licks in. On Sun, Feb 14, 2010 at 3:41 PM, Joel Esler wrote: > Shyaam, > Thanks. Bamm wasn't disagreeing with me, he's just busting my chops. > -- > Joel Esler > 302-223-5974 > Sent from my iPhone > On Feb 14, 2010, at 3:30 PM, Shyaam wrote: > > Come on guys! Give Joel a break... What he said was somewhat right that > rules are better than signatures, although at some point signature became > rulesets... similar to how we ask a person "did you xerox the documents" > instead of? "did you copy the documents". Or something like "did you google > it" instead of "did you search for it". Anyways! I think everyone is on the > same boat and lets continue with something more meaningful than putting each > other down :) just my 2 cents... > > Shyaam > > On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: >> >> Bamm -- >> >> Yes. >> >> Thanks. >> >> -- >> Joel Esler >> 302-223-5974 >> Sent from my iPhone >> >> On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" >> > ?> wrote: >> >> > hair->split(); >> > >> > =;^) >> > >> > On or about 2010.02.14 14:35:32 +0000, Bamm Visscher >> > (bamm.visscher at gmail.com >> > ) said: >> > >> >> Rule and signature have been used to mean the same thing when talking >> >> about snort since like forever. Defining a difference between the two >> >> might make a slick looking PPT on your sales calls, but do you really >> >> think it's worth pointing out in a forum like this? ?;) >> >> >> >> >> >> >> >> Bamm >> >> >> >> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: >> >>> Snort shouldn't have signatures. ?It should have rules. >> >>> >> >>> Signatures look for "x". >> >>> >> >>> Rules are a combination of modeling the protocol and looking for >> >>> "x", providing a very low false positive rate. >> >>> >> >>> Semantics, maybe, but that's what sets Snort's detection language >> >>> away from the rest. >> >>> >> >>> J >> >>> >> >>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: >> >>> >> >>>> http://sign.kaffenews.com/ >> >>>> >> >>>> Interesting article on signature writing. >> >>>> >> >>>> Matt >> >>>> >> >>>> ---------------------------------------------------- >> >>>> Matthew Jonkman >> >>>> Emerging Threats >> >>>> Open Information Security Foundation (OISF) >> >>>> Phone 765-429-0398 >> >>>> Fax 312-264-0205 >> >>>> http://www.emergingthreats.net >> >>>> http://www.openinfosecfoundation.org >> >>>> ---------------------------------------------------- >> >>>> >> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >> >>>> >> >>>> _______________________________________________ >> >>>> Emerging-sigs mailing list >> >>>> Emerging-sigs at emergingthreats.net >> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >>>> >> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> >>>> and Lanyards >> >>>> >> >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >>> >> >>> -- >> >>> Joel Esler >> >>> 302-223-5974 >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> Emerging-sigs mailing list >> >>> Emerging-sigs at emergingthreats.net >> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >>> >> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> >>> and Lanyards >> >>> >> >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >>> >> >> >> >> >> >> >> >> -- >> >> sguil - The Analyst Console for NSM >> >> http://sguil.sf.net >> >> >> >> _______________________________________________ >> >> Emerging-sigs mailing list >> >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> >> and Lanyards >> >> >> >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > >> > -- >> > Gregory W. MacPherson >> > Global Network Exploitation Specialist, CISSP, Security+, ITIL >> > http://www.netpublishing.com/greg/ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > > > > -- > Thank you in advance for your time and consideration. > Kind Regards, > Shyaam Sundhar R.S. > www.EvilFingers.com > www.RootkitAnalytics.com > > > Certs: > GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, > GCIA, GCIH, CAS > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > -- sguil - The Analyst Console for NSM http://sguil.sf.net From eslerj at gmail.com Sun Feb 14 21:27:16 2010 From: eslerj at gmail.com (Joel Esler) Date: Sun, 14 Feb 2010 21:27:16 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> Message-ID: <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> I look at it like this. Remember the old Dragon rules? (I don't know how they are anymore) but they were little more than just plain (extremely limited) regular expressions. That's a signature. That's how I separate the two in my mind. J On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: > Yeah, that was a lot of chop busting laced with a little seriousness. > Snort's flexibility and openess is its greatest asset. I am just glad > to see the community at large still taking an interest in Snort and > putting forth the effort to help others. > > Signatures/rules are an odd beast. The worlds ugliest and simplest sig > could be the one that saves your arse. And depending on the threat, > the awesome "rule" that detects some zero day in MS RPC could be > useless and wasting CPU cycles. > > Bamm > > P.S. > > Don't worry about Joel. He gets his licks in. > > On Sun, Feb 14, 2010 at 3:41 PM, Joel Esler wrote: >> Shyaam, >> Thanks. Bamm wasn't disagreeing with me, he's just busting my chops. >> -- >> Joel Esler >> 302-223-5974 >> Sent from my iPhone >> On Feb 14, 2010, at 3:30 PM, Shyaam wrote: >> >> Come on guys! Give Joel a break... What he said was somewhat right that >> rules are better than signatures, although at some point signature became >> rulesets... similar to how we ask a person "did you xerox the documents" >> instead of "did you copy the documents". Or something like "did you google >> it" instead of "did you search for it". Anyways! I think everyone is on the >> same boat and lets continue with something more meaningful than putting each >> other down :) just my 2 cents... >> >> Shyaam >> >> On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: >>> >>> Bamm -- >>> >>> Yes. >>> >>> Thanks. >>> >>> -- >>> Joel Esler >>> 302-223-5974 >>> Sent from my iPhone >>> >>> On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" >>> >> > wrote: >>> >>>> hair->split(); >>>> >>>> =;^) >>>> >>>> On or about 2010.02.14 14:35:32 +0000, Bamm Visscher >>>> (bamm.visscher at gmail.com >>>> ) said: >>>> >>>>> Rule and signature have been used to mean the same thing when talking >>>>> about snort since like forever. Defining a difference between the two >>>>> might make a slick looking PPT on your sales calls, but do you really >>>>> think it's worth pointing out in a forum like this? ;) >>>>> >>>>> >>>>> >>>>> Bamm >>>>> >>>>> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: >>>>>> Snort shouldn't have signatures. ?It should have rules. >>>>>> >>>>>> Signatures look for "x". >>>>>> >>>>>> Rules are a combination of modeling the protocol and looking for >>>>>> "x", providing a very low false positive rate. >>>>>> >>>>>> Semantics, maybe, but that's what sets Snort's detection language >>>>>> away from the rest. >>>>>> >>>>>> J >>>>>> >>>>>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: >>>>>> >>>>>>> http://sign.kaffenews.com/ >>>>>>> >>>>>>> Interesting article on signature writing. >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> ---------------------------------------------------- >>>>>>> Matthew Jonkman >>>>>>> Emerging Threats >>>>>>> Open Information Security Foundation (OISF) >>>>>>> Phone 765-429-0398 >>>>>>> Fax 312-264-0205 >>>>>>> http://www.emergingthreats.net >>>>>>> http://www.openinfosecfoundation.org >>>>>>> ---------------------------------------------------- >>>>>>> >>>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Emerging-sigs mailing list >>>>>>> Emerging-sigs at emergingthreats.net >>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>>> >>>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>>>> and Lanyards >>>>>>> >>>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>>> >>>>>> -- >>>>>> Joel Esler >>>>>> 302-223-5974 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Emerging-sigs mailing list >>>>>> Emerging-sigs at emergingthreats.net >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>>> and Lanyards >>>>>> >>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> sguil - The Analyst Console for NSM >>>>> http://sguil.sf.net >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>> and Lanyards >>>>> >>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>> >>>> -- >>>> Gregory W. MacPherson >>>> Global Network Exploitation Specialist, CISSP, Security+, ITIL >>>> http://www.netpublishing.com/greg/ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> >> >> >> -- >> Thank you in advance for your time and consideration. >> Kind Regards, >> Shyaam Sundhar R.S. >> www.EvilFingers.com >> www.RootkitAnalytics.com >> >> >> Certs: >> GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, >> GCIA, GCIH, CAS >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >> Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > > > -- > sguil - The Analyst Console for NSM > http://sguil.sf.net -- Joel Esler 302-223-5974 From shyaam at gmail.com Sun Feb 14 21:36:04 2010 From: shyaam at gmail.com (Shyaam) Date: Mon, 15 Feb 2010 02:36:04 +0000 Subject: [Emerging-Sigs] Good Article In-Reply-To: <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> Message-ID: Hello Joel, Although it is true that we could make signatures more sensible and call them rules, by not providing appropriate limitations to the rules we would overload the device itself. There are several processes involved in how a rule should be seen. There are several computations involved in running each and every rule for each packet. There are limitations in everything we have: - Components of the rule - number of rules in the device - Computation that could be done simultaneously[parallel processing, multi threading, multi core, etc.] - limitations in the device [memory, processing power, etc.] - time to do all this and to make sure that it is almost in real time - Algorithm behind implementation - Most optimal solution. There are several others that aren't listed above. But the ideal situation would be to have a tradeoff in all of the above and arrive at the most optimal solution. There is a tradeoff in everything. There is no one perfect ruleset that runs the best in all given situations. Hence, I believe that restricting your definition to "something more than just plain regex" is a limitation by itself. Guess you might want to rethink about the classification :( Correct me if I am wrong, but I have always had the above in my mind to keep the thought process open. Shyaam On Mon, Feb 15, 2010 at 2:27 AM, Joel Esler wrote: > I look at it like this. > > Remember the old Dragon rules? (I don't know how they are anymore) but > they were little more than just plain (extremely limited) regular > expressions. > > That's a signature. > > That's how I separate the two in my mind. > > J > > On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: > > > Yeah, that was a lot of chop busting laced with a little seriousness. > > Snort's flexibility and openess is its greatest asset. I am just glad > > to see the community at large still taking an interest in Snort and > > putting forth the effort to help others. > > > > Signatures/rules are an odd beast. The worlds ugliest and simplest sig > > could be the one that saves your arse. And depending on the threat, > > the awesome "rule" that detects some zero day in MS RPC could be > > useless and wasting CPU cycles. > > > > Bamm > > > > P.S. > > > > Don't worry about Joel. He gets his licks in. > > > > On Sun, Feb 14, 2010 at 3:41 PM, Joel Esler wrote: > >> Shyaam, > >> Thanks. Bamm wasn't disagreeing with me, he's just busting my chops. > >> -- > >> Joel Esler > >> 302-223-5974 > >> Sent from my iPhone > >> On Feb 14, 2010, at 3:30 PM, Shyaam wrote: > >> > >> Come on guys! Give Joel a break... What he said was somewhat right that > >> rules are better than signatures, although at some point signature > became > >> rulesets... similar to how we ask a person "did you xerox the documents" > >> instead of "did you copy the documents". Or something like "did you > google > >> it" instead of "did you search for it". Anyways! I think everyone is on > the > >> same boat and lets continue with something more meaningful than putting > each > >> other down :) just my 2 cents... > >> > >> Shyaam > >> > >> On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: > >>> > >>> Bamm -- > >>> > >>> Yes. > >>> > >>> Thanks. > >>> > >>> -- > >>> Joel Esler > >>> 302-223-5974 > >>> Sent from my iPhone > >>> > >>> On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" > >>> >>> > wrote: > >>> > >>>> hair->split(); > >>>> > >>>> =;^) > >>>> > >>>> On or about 2010.02.14 14:35:32 +0000, Bamm Visscher > >>>> (bamm.visscher at gmail.com > >>>> ) said: > >>>> > >>>>> Rule and signature have been used to mean the same thing when talking > >>>>> about snort since like forever. Defining a difference between the two > >>>>> might make a slick looking PPT on your sales calls, but do you really > >>>>> think it's worth pointing out in a forum like this? ;) > >>>>> > >>>>> > >>>>> > >>>>> Bamm > >>>>> > >>>>> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler > wrote: > >>>>>> Snort shouldn't have signatures. ?It should have rules. > >>>>>> > >>>>>> Signatures look for "x". > >>>>>> > >>>>>> Rules are a combination of modeling the protocol and looking for > >>>>>> "x", providing a very low false positive rate. > >>>>>> > >>>>>> Semantics, maybe, but that's what sets Snort's detection language > >>>>>> away from the rest. > >>>>>> > >>>>>> J > >>>>>> > >>>>>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: > >>>>>> > >>>>>>> http://sign.kaffenews.com/ > >>>>>>> > >>>>>>> Interesting article on signature writing. > >>>>>>> > >>>>>>> Matt > >>>>>>> > >>>>>>> ---------------------------------------------------- > >>>>>>> Matthew Jonkman > >>>>>>> Emerging Threats > >>>>>>> Open Information Security Foundation (OISF) > >>>>>>> Phone 765-429-0398 > >>>>>>> Fax 312-264-0205 > >>>>>>> http://www.emergingthreats.net > >>>>>>> http://www.openinfosecfoundation.org > >>>>>>> ---------------------------------------------------- > >>>>>>> > >>>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Emerging-sigs mailing list > >>>>>>> Emerging-sigs at emergingthreats.net > >>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>>>> > >>>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>>>>>> and Lanyards > >>>>>>> > >>>>>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>>>> > >>>>>> -- > >>>>>> Joel Esler > >>>>>> 302-223-5974 > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Emerging-sigs mailing list > >>>>>> Emerging-sigs at emergingthreats.net > >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>>> > >>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>>>>> and Lanyards > >>>>>> > >>>>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> sguil - The Analyst Console for NSM > >>>>> http://sguil.sf.net > >>>>> > >>>>> _______________________________________________ > >>>>> Emerging-sigs mailing list > >>>>> Emerging-sigs at emergingthreats.net > >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>> > >>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > >>>>> and Lanyards > >>>>> > >>>>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >>>> > >>>> -- > >>>> Gregory W. MacPherson > >>>> Global Network Exploitation Specialist, CISSP, Security+, ITIL > >>>> http://www.netpublishing.com/greg/ > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > >>> Lanyards > >>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > >> > >> > >> -- > >> Thank you in advance for your time and consideration. > >> Kind Regards, > >> Shyaam Sundhar R.S. > >> www.EvilFingers.com > >> www.RootkitAnalytics.com > >> > >> > >> Certs: > >> GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, > GCFA, > >> GCIA, GCIH, CAS > >> > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and > >> Lanyards > >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > >> > > > > > > > > -- > > sguil - The Analyst Console for NSM > > http://sguil.sf.net > > -- > Joel Esler > 302-223-5974 > > > > > > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. www.EvilFingers.com www.RootkitAnalytics.com Certs: GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH, CAS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100215/b764ed5d/attachment-0001.html From evilghost at packetmail.net Sun Feb 14 21:43:36 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Sun, 14 Feb 2010 20:43:36 -0600 Subject: [Emerging-Sigs] Good Article In-Reply-To: <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> Message-ID: <4B78B4D8.7030006@packetmail.net> Not trying to stir the pot, but I guess I will. Peek at http://www.google.com/search?q=site%3Asnort.org+rules "Sourcefire Vulnerability Research Team? (VRT) /Rules/ are the official /rules/ of snort.org. Each /rule/ is developed and tested using the same rigorous standards" "The VRT develops and maintains the official /rule/ set of Snort.org. *...* The VRT also maintains shared object /rules/ that are distributed for many platforms in" "Jan 28, 2010 *...* As a result of ongoing research, the Sourcefire VRT has added multiple /rules/ to the policy, web-misc, web-client, specific-threats and " "Jan 21, 2010 *...* /Rules/ to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16376 through 1637" ... Joel, why is SourceFire still writing *rules* instead of *signatures* :) -evilghost Joel Esler wrote: > I look at it like this. > > Remember the old Dragon rules? (I don't know how they are anymore) but they were little more than just plain (extremely limited) regular expressions. > > That's a signature. > > That's how I separate the two in my mind. > > J > > On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: > From evilghost at packetmail.net Sun Feb 14 21:47:56 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Sun, 14 Feb 2010 20:47:56 -0600 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B78B4D8.7030006@packetmail.net> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> <4B78B4D8.7030006@packetmail.net> Message-ID: <4B78B5DC.3000309@packetmail.net> Damn. I failed at reading comprehension. I was hoping I could troll Joel a bit with this one but I just realized I'm actually supporting his point that they should be called rules, not signatures. Someone bring me some beer, Joel you buying? -evilghost evilghost at packetmail.net wrote: > Not trying to stir the pot, but I guess I will. Peek at > http://www.google.com/search?q=site%3Asnort.org+rules > > "Sourcefire Vulnerability Research Team? (VRT) /Rules/ are the official > /rules/ of snort.org. Each /rule/ is developed and tested using the same > rigorous standards" > "The VRT develops and maintains the official /rule/ set of Snort.org. > *...* The VRT also maintains shared object /rules/ that are distributed > for many platforms in" > "Jan 28, 2010 *...* As a result of ongoing research, the Sourcefire VRT > has added multiple /rules/ to the policy, web-misc, web-client, > specific-threats and " > "Jan 21, 2010 *...* /Rules/ to detect attacks targeting these > vulnerabilities are included in this release and are identified with GID > 3, SIDs 16376 through 1637" > ... > > Joel, why is SourceFire still writing *rules* instead of *signatures* :) > > -evilghost > > Joel Esler wrote: > >> I look at it like this. >> >> Remember the old Dragon rules? (I don't know how they are anymore) but they were little more than just plain (extremely limited) regular expressions. >> >> That's a signature. >> >> That's how I separate the two in my mind. >> >> J >> >> On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html > From shyaam at gmail.com Sun Feb 14 21:56:35 2010 From: shyaam at gmail.com (Shyaam) Date: Mon, 15 Feb 2010 02:56:35 +0000 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B78B5DC.3000309@packetmail.net> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> <4B78B4D8.7030006@packetmail.net> <4B78B5DC.3000309@packetmail.net> Message-ID: This page was intentionally left BLANK. If you are seeing any text in here, it means that you are hallucinating. Side effects of reading the above include[and is not limited to]: nausea vomiting dizziness heart attack stroke coma and in some cases, death. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100215/c6773b8d/attachment.html From eslerj at gmail.com Sun Feb 14 22:28:41 2010 From: eslerj at gmail.com (Joel Esler) Date: Sun, 14 Feb 2010 22:28:41 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B78B4D8.7030006@packetmail.net> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> <4B78B4D8.7030006@packetmail.net> Message-ID: Yes. Snort's language has the ability to model protocols and sessions. Not just look for strings. There is a lot of capability in the language that most don't use. That's why we call them rules instead of plain signatures. -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 14, 2010, at 9:43 PM, "evilghost at packetmail.net" wrote: > Not trying to stir the pot, but I guess I will. Peek at > http://www.google.com/search?q=site%3Asnort.org+rules > > "Sourcefire Vulnerability Research Team? (VRT) /Rules/ are the offic > ial > /rules/ of snort.org. Each /rule/ is developed and tested using the > same > rigorous standards" > "The VRT develops and maintains the official /rule/ set of Snort.org. > *...* The VRT also maintains shared object /rules/ that are > distributed > for many platforms in" > "Jan 28, 2010 *...* As a result of ongoing research, the Sourcefire > VRT > has added multiple /rules/ to the policy, web-misc, web-client, > specific-threats and " > "Jan 21, 2010 *...* /Rules/ to detect attacks targeting these > vulnerabilities are included in this release and are identified with > GID > 3, SIDs 16376 through 1637" > ... > > Joel, why is SourceFire still writing *rules* instead of > *signatures* :) > > -evilghost > > Joel Esler wrote: >> I look at it like this. >> >> Remember the old Dragon rules? (I don't know how they are anymore) >> but they were little more than just plain (extremely limited) >> regular expressions. >> >> That's a signature. >> >> That's how I separate the two in my mind. >> >> J >> >> On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html From eslerj at gmail.com Sun Feb 14 22:29:20 2010 From: eslerj at gmail.com (Joel Esler) Date: Sun, 14 Feb 2010 22:29:20 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <4B78B5DC.3000309@packetmail.net> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> <4B78B4D8.7030006@packetmail.net> <4B78B5DC.3000309@packetmail.net> Message-ID: How about we all stop trying to troll the Sourcefire employee and understand what I am trying to say? -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 14, 2010, at 9:47 PM, "evilghost at packetmail.net" wrote: > Damn. I failed at reading comprehension. I was hoping I could troll > Joel a bit with this one but I just realized I'm actually supporting > his > point that they should be called rules, not signatures. Someone bring > me some beer, Joel you buying? > > -evilghost > > evilghost at packetmail.net wrote: >> Not trying to stir the pot, but I guess I will. Peek at >> http://www.google.com/search?q=site%3Asnort.org+rules >> >> "Sourcefire Vulnerability Research Team? (VRT) /Rules/ are the off >> icial >> /rules/ of snort.org. Each /rule/ is developed and tested using the >> same >> rigorous standards" >> "The VRT develops and maintains the official /rule/ set of Snort.org. >> *...* The VRT also maintains shared object /rules/ that are >> distributed >> for many platforms in" >> "Jan 28, 2010 *...* As a result of ongoing research, the Sourcefire >> VRT >> has added multiple /rules/ to the policy, web-misc, web-client, >> specific-threats and " >> "Jan 21, 2010 *...* /Rules/ to detect attacks targeting these >> vulnerabilities are included in this release and are identified >> with GID >> 3, SIDs 16376 through 1637" >> ... >> >> Joel, why is SourceFire still writing *rules* instead of >> *signatures* :) >> >> -evilghost >> >> Joel Esler wrote: >> >>> I look at it like this. >>> >>> Remember the old Dragon rules? (I don't know how they are >>> anymore) but they were little more than just plain (extremely >>> limited) regular expressions. >>> >>> That's a signature. >>> >>> That's how I separate the two in my mind. >>> >>> J >>> >>> On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: >>> >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >> and Lanyards >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs > and Lanyards > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html From bamm.visscher at gmail.com Sun Feb 14 23:01:04 2010 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Sun, 14 Feb 2010 23:01:04 -0500 Subject: [Emerging-Sigs] Good Article In-Reply-To: <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> References: <4B70312B.4030707@jonkmans.com> <27492851002141135y537c3299ve28f178e9aad17fa@mail.gmail.com> <20100214195129.GC74260@b2.datasieve.net> <913163B1-ACD9-46C1-A829-994630F201FC@gmail.com> <27492851002141407ub161541radf9e7e12c8e9585@mail.gmail.com> <3A746F9C-2070-4F33-B2D3-4449E74DE67B@gmail.com> Message-ID: <27492851002142001t56b6195bv662d2e16e2f2ef34@mail.gmail.com> I look at it like this. Every snort rule has a signature ID and documentation in docs/signatures. Every signature is a a file called *.rules. If you look at the code and official documentation, you will see the two terms used interchangeably all over. The whole debate over signature and rule is really just vendor nonsense. The first time I heard anyone really try to differentiate between the two was from an unamed vendor comparing their "rule based engine" to Snort's "signature based" one. An IPS has rules you know. Personally, I prefer the term signature, but I probably use the term rule just as much. Bamm On 2/14/10, Joel Esler wrote: > I look at it like this. > > Remember the old Dragon rules? (I don't know how they are anymore) but they > were little more than just plain (extremely limited) regular expressions. > > That's a signature. > > That's how I separate the two in my mind. > > J > > On Feb 14, 2010, at 5:07 PM, Bamm Visscher wrote: > >> Yeah, that was a lot of chop busting laced with a little seriousness. >> Snort's flexibility and openess is its greatest asset. I am just glad >> to see the community at large still taking an interest in Snort and >> putting forth the effort to help others. >> >> Signatures/rules are an odd beast. The worlds ugliest and simplest sig >> could be the one that saves your arse. And depending on the threat, >> the awesome "rule" that detects some zero day in MS RPC could be >> useless and wasting CPU cycles. >> >> Bamm >> >> P.S. >> >> Don't worry about Joel. He gets his licks in. >> >> On Sun, Feb 14, 2010 at 3:41 PM, Joel Esler wrote: >>> Shyaam, >>> Thanks. Bamm wasn't disagreeing with me, he's just busting my chops. >>> -- >>> Joel Esler >>> 302-223-5974 >>> Sent from my iPhone >>> On Feb 14, 2010, at 3:30 PM, Shyaam wrote: >>> >>> Come on guys! Give Joel a break... What he said was somewhat right that >>> rules are better than signatures, although at some point signature became >>> rulesets... similar to how we ask a person "did you xerox the documents" >>> instead of "did you copy the documents". Or something like "did you >>> google >>> it" instead of "did you search for it". Anyways! I think everyone is on >>> the >>> same boat and lets continue with something more meaningful than putting >>> each >>> other down :) just my 2 cents... >>> >>> Shyaam >>> >>> On Sun, Feb 14, 2010 at 8:26 PM, Joel Esler wrote: >>>> >>>> Bamm -- >>>> >>>> Yes. >>>> >>>> Thanks. >>>> >>>> -- >>>> Joel Esler >>>> 302-223-5974 >>>> Sent from my iPhone >>>> >>>> On Feb 14, 2010, at 2:51 PM, "Gregory W. MacPherson" >>>> >>> > wrote: >>>> >>>>> hair->split(); >>>>> >>>>> =;^) >>>>> >>>>> On or about 2010.02.14 14:35:32 +0000, Bamm Visscher >>>>> (bamm.visscher at gmail.com >>>>> ) said: >>>>> >>>>>> Rule and signature have been used to mean the same thing when talking >>>>>> about snort since like forever. Defining a difference between the two >>>>>> might make a slick looking PPT on your sales calls, but do you really >>>>>> think it's worth pointing out in a forum like this? ;) >>>>>> >>>>>> >>>>>> >>>>>> Bamm >>>>>> >>>>>> On Mon, Feb 8, 2010 at 10:58 AM, Joel Esler wrote: >>>>>>> Snort shouldn't have signatures. ?It should have rules. >>>>>>> >>>>>>> Signatures look for "x". >>>>>>> >>>>>>> Rules are a combination of modeling the protocol and looking for >>>>>>> "x", providing a very low false positive rate. >>>>>>> >>>>>>> Semantics, maybe, but that's what sets Snort's detection language >>>>>>> away from the rest. >>>>>>> >>>>>>> J >>>>>>> >>>>>>> On Feb 8, 2010, at 10:43 AM, Matt Jonkman wrote: >>>>>>> >>>>>>>> http://sign.kaffenews.com/ >>>>>>>> >>>>>>>> Interesting article on signature writing. >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> ---------------------------------------------------- >>>>>>>> Matthew Jonkman >>>>>>>> Emerging Threats >>>>>>>> Open Information Security Foundation (OISF) >>>>>>>> Phone 765-429-0398 >>>>>>>> Fax 312-264-0205 >>>>>>>> http://www.emergingthreats.net >>>>>>>> http://www.openinfosecfoundation.org >>>>>>>> ---------------------------------------------------- >>>>>>>> >>>>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Emerging-sigs mailing list >>>>>>>> Emerging-sigs at emergingthreats.net >>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>>>> >>>>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>>>>> and Lanyards >>>>>>>> >>>>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>>>> >>>>>>> -- >>>>>>> Joel Esler >>>>>>> 302-223-5974 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Emerging-sigs mailing list >>>>>>> Emerging-sigs at emergingthreats.net >>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>>> >>>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>>>> and Lanyards >>>>>>> >>>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> sguil - The Analyst Console for NSM >>>>>> http://sguil.sf.net >>>>>> >>>>>> _______________________________________________ >>>>>> Emerging-sigs mailing list >>>>>> Emerging-sigs at emergingthreats.net >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs >>>>>> and Lanyards >>>>>> >>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>>>> >>>>> -- >>>>> Gregory W. MacPherson >>>>> Global Network Exploitation Specialist, CISSP, Security+, ITIL >>>>> http://www.netpublishing.com/greg/ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>>> Lanyards >>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >>> >>> >>> -- >>> Thank you in advance for your time and consideration. >>> Kind Regards, >>> Shyaam Sundhar R.S. >>> www.EvilFingers.com >>> www.RootkitAnalytics.com >>> >>> >>> Certs: >>> GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, >>> GCFA, >>> GCIA, GCIH, CAS >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and >>> Lanyards >>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html >>> >> >> >> >> -- >> sguil - The Analyst Console for NSM >> http://sguil.sf.net > > -- > Joel Esler > 302-223-5974 > > > > > > -- sguil - The Analyst Console for NSM http://sguil.sf.net From mail at mare-system.de Mon Feb 15 02:55:11 2010 From: mail at mare-system.de (mex) Date: Mon, 15 Feb 2010 08:55:11 +0100 Subject: [Emerging-Sigs] DFind /w00tw00t.at.ISC.SANS.DFind Message-ID: <4B78FDDF.4080101@mare-system.de> i expected that one already in the rulesets, but did not found it. # wootwoot # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/w00tw00t.at.ISC.SANS.DFind"; nocase; classtype:attempted-recon; sid:11220056; rev:1;) From jason.weir at nhrs.org Mon Feb 15 06:00:14 2010 From: jason.weir at nhrs.org (jason.weir@nhrs.org) Date: 15 Feb 2010 06:00:14 -0500 Subject: [Emerging-Sigs] Malwareurl.com Top 75 Update Message-ID: MalewareURL.com Data Contains 97170 Entries - Here are the top 75 (46804) # Signature URI Count Description ---------------------------------------------------------------------------------------- 1 none index.php 1869 2 none download/Setup_2005.exe 1325 3 none cache/readme.pdf 1197 4 none download/install.php 1094 5 none downloader.php 1080 6 2010716 wywg/dh2/barley.exe 1009 7 2010716 wywg/chd/opaslf.exe 1009 8 2010716 wywg/rxcq/geoloal.exe 996 9 2010716 wywg/mxd/mioslwer.exe 995 10 2010716 wywg/mssj/stress.exe 994 11 2010716 wywg/mxd/kpske3.exe 994 12 2010716 wywg/rxcq/market.exe 985 13 2010716 wywg/dxcys/ordinary.exe 985 14 2010716 wywg/jxqy3/jxkdk.exe 985 15 2010716 wywg/rxcq/permin.exe 985 16 2010716 wywg/mssj/brittle.exe 985 17 2010716 wywg/wlwz/wlmzjsg.exe 985 18 2010716 wywg/dxcys/peasant.exe 985 19 2010716 wywg/txer/sitoswd.exe 985 20 2010716 wywg/hx2/handfu.exe 984 21 2010716 wywg/yhzt/yhztzxieiai.exe 984 22 2010716 wywg/wmgj/wmdtgjg.exe 984 23 2010716 wywg/dxcys/Wilhelm.exe 984 24 2010716 wywg/cqwz/mfwgsw.exe 984 25 2010716 wywg/cqsj/allowed.exe 984 26 2010716 wywg/cqwz/sqkiwg.exe 984 27 2010716