From jonkman at jonkmans.com Fri Jan 1 11:44:36 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 01 Jan 2010 11:44:36 -0500 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <69544300912311649hb70154bk582e51a351d54b6a@mail.gmail.com> References: <4B3D0569.4020907@jonkmans.com> <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> <4B3D0D33.7050707@jonkmans.com> <69544300912311649hb70154bk582e51a351d54b6a@mail.gmail.com> Message-ID: <4B3E2674.2060503@jonkmans.com> We were slashdotted, which caused massive problems of course. Things are all back to normal. You can get code at: http://openinfosecfoundation.org/index.php/download-suricata Should remain stable. We're still on the front page at slashdot, but the load is manageable now thankfully. Matt On 12/31/09 7:49 PM, Jules Pagna Disso wrote: > HI Matt, > > The job done sounds great. It seems as if the download link is not > active or broken? > > > Happy new year! > Jules > > 2009/12/31 Matt Jonkman > > > Thanks Matt! That's great to hear from you! > > Look forward to your feedback. > > Matt > > On 12/31/09 3:42 PM, Matt Olney wrote: > > Congrats to Matt Jonkman and the team at OISF. It's a big step, and I > > look forward to seeing your work (after then new year :)) > > > > Matt > > > > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman > > > >> wrote: > > > > Full Announcement here: > > http://www.openinfosecfoundation.org/ > > > > > > It's been about three years in the making, but the day has > finally come! > > We have the first release of the Suricata Engine! The engine > is an Open > > Source Next Generation Intrusion Detection and Prevention > Tool, not > > intended to just replace or emulate the existing tools in the > industry, > > but to bring new ideas and technologies to the field. > > > > The Suricata Engine and the HTP Library are available to use > under the > > GPLv2. > > > > The HTP Library is an HTTP normalizer and parser written by > Ivan Ristic > > of Mod Security fame for the OISF. This integrates and > provides very > > advanced processing of HTTP streams for Suricata. The HTP > library is > > required by the engine, but may also be used independently in > a range of > > applications and tools. > > > > This is considered a Beta Release as we are seeking feedback > from the > > community. This release has many of the major new features we > wanted to > > add to the industry, but certainly not all. We intend to get > this base > > engine out and stable, and then continue to add new features. > We expect > > several new releases in the month of January culminating in a > production > > quality release shortly thereafter. > > > > The engine and the HTP Library are available here: > > http://www.openinfosecfoundation.org/index.php/download-suricata > > > > Please join the oisf-users mailing list to discuss and share > feedback. > > The developers will be there ready to help you test. > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > > > > As this is a first release we don't really have a "what's New" > section > > because everything is new. But we do have a number of new > ideas and new > > concepts to Intrusion Detection to note. Some of those are > listed below: > > > > > > > > Multi-Threading > > Amazing that multi-threading is new to IDS, but it is, and > we've got it! > > > > > > Automatic Protocol Detection > > The engine not only has keywords for IP, TCP, UDP and ICMP, > but also has > > HTTP, TLS, FTP and SMB! A user can now write a rule to detect > a match > > within an HTTP stream for example regardless of the port the > stream > > occurs on. This is going to revolutionize malware detection > and control. > > Detections for more layer 7 protocols are on the way. > > > > > > Gzip Decompression > > The HTP Parser will decode Gzip compressed streams, allowing > much more > > detailed matching within the engine. > > > > > > Independent HTP Library > > The HTP Parser will be of great use to many other applications > such as > > proxies, filters, etc. The parser is available as a library > also under > > GPLv2 for easy integration ito other tools. > > > > > > Standard Input Methods > > You can use NFQueue, IPFRing, and the standard LibPcap to capture > > traffic. IPFW support coming shortly. > > > > > > Unified2 Output > > You can use your standard output tools and methods with the > new engine, > > 100% compatible! > > > > > > Flow Variables > > It's possible to capture information out of a stream and save > that in a > > variable which can then be matched again later. > > > > > > Fast IP Matching > > The engine will automatically take rules that are IP matches > only (such > > as the RBN and compromised IP lists at Emerging Threats) and > put them > > into a special fast matching preprocessor. > > > > > > HTTP Log Module > > All HTTP requests can be automatically output into an > apache-style log > > format file. Very useful for monitoring and logging activity > completely > > independent of rulesets and matching. Should you need to do so > you could > > use the engine only as an HTTP logging sniffer. > > > > > > > > Coming Very Soon: (Within a few weeks) > > > > Global Flow Variables > > The ability to store more information from a stream or match > (actual > > data, not just setting a bit), and storing that information > for a period > > of time. This will make comparing values across many streams > and time > > possible. > > > > > > Graphics Card Acceleration > > Using CUDA and OpenCL we will be able to make use of the massive > > processing power of even old graphics cards to accelerate your > IDS. > > Offloading the very computationally intensive functions of the > sensor > > will greatly enhance performance. > > > > > > IP Reputation > > Hard to summarize in a sentence, but Reputation will allow > sensors and > > organizations to share intelligence and eliminate many false > positives. > > > > > > Windows Binaries > > As soon as we have a reasonably stable body of code. > > > > > > > > The list could go on and on. Please take a few minutes to > download the > > engine and try it out and let us know what you think. We're not > > comfortable calling it production ready at the moment until we > get your > > feedback, and we have a few features to complete. We really > need your > > feedback and input. We intend to put out a series of small > releases in > > the two to three weeks to come, and then a production ready major > > release shortly thereafter. Phase two of our development plan > will then > > begin where we go after some major new features such as IP > Reputation > > shortly. > > > > http://www.openinfosecfoundation.org > > > > > > ---------------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinformationsecurityfoundation.org > > ---------------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > ------------------------------------------------------------------------------ > > This SF.Net email is sponsored by the Verizon Developer Community > > Take advantage of Verizon's best-in-class app development support > > A streamlined, 14 day to market process makes app distribution > fast > > and easy > > Join now and get one step closer to millions of Verizon customers > > http://p.sf.net/sfu/verizon-dev2dev > > _______________________________________________ > > Snort-users mailing list > > Snort-users at lists.sourceforge.net > > > > > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users > > > Snort-users> list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From edward.fjellskal at redpill-linpro.com Fri Jan 1 03:27:39 2010 From: edward.fjellskal at redpill-linpro.com (=?ISO-8859-1?Q?Edward_Bjarte_Fjellsk=E5l?=) Date: Fri, 01 Jan 2010 09:27:39 +0100 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: References: <4B3D0569.4020907@jonkmans.com> Message-ID: <4B3DB1FB.9070109@redpill-linpro.com> Brian Caswell wrote: > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman wrote: >> The engine and the HTP Library are available here: >> http://www.openinfosecfoundation.org/index.php/download-suricata > > This URL gives a 404. > > Where else might we be able to download it? Are there any svn or git repo public available? e > > Brian > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-users mailing list > Snort-users at lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users From jonkman at jonkmans.com Fri Jan 1 14:50:10 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 01 Jan 2010 14:50:10 -0500 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <4B3DB1FB.9070109@redpill-linpro.com> References: <4B3D0569.4020907@jonkmans.com> <4B3DB1FB.9070109@redpill-linpro.com> Message-ID: <4B3E51F2.4010709@jonkmans.com> Yes there is: git clone git://phalanx.openinfosecfoundation.org/oisf.git That'll be the most current. It'll be changing a lot over the next few weeks! Matt On 1/1/10 3:27 AM, Edward Bjarte Fjellsk?l wrote: > Brian Caswell wrote: >> On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman wrote: >>> The engine and the HTP Library are available here: >>> http://www.openinfosecfoundation.org/index.php/download-suricata >> >> This URL gives a 404. >> >> Where else might we be able to download it? > > Are there any svn or git repo public available? > > e > >> >> Brian >> >> ------------------------------------------------------------------------------ >> This SF.Net email is sponsored by the Verizon Developer Community >> Take advantage of Verizon's best-in-class app development support >> A streamlined, 14 day to market process makes app distribution fast and easy >> Join now and get one step closer to millions of Verizon customers >> http://p.sf.net/sfu/verizon-dev2dev >> _______________________________________________ >> Snort-users mailing list >> Snort-users at lists.sourceforge.net >> Go to this URL to change user options or unsubscribe: >> https://lists.sourceforge.net/lists/listinfo/snort-users >> Snort-users list archive: >> http://www.geocrawler.com/redir-sf.php3?list=snort-users > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Fri Jan 1 14:55:15 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 1 Jan 2010 19:55:15 +0000 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <4B3E2674.2060503@jonkmans.com> References: <4B3D0569.4020907@jonkmans.com> <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> <4B3D0D33.7050707@jonkmans.com> <69544300912311649hb70154bk582e51a351d54b6a@mail.gmail.com> <4B3E2674.2060503@jonkmans.com> Message-ID: Nice, I was looking forward to this :) It seems to have installed perfectly on my Fedora system and runs fine but I won't get to properly play with it for a few days. Once the IP reputation stuff appears I may run this against production traffic on a few of my sensors. Nice work 2010/1/1 Matt Jonkman > We were slashdotted, which caused massive problems of course. > > Things are all back to normal. You can get code at: > > http://openinfosecfoundation.org/index.php/download-suricata > > Should remain stable. We're still on the front page at slashdot, but the > load is manageable now thankfully. > > Matt > > On 12/31/09 7:49 PM, Jules Pagna Disso wrote: > > HI Matt, > > > > The job done sounds great. It seems as if the download link is not > > active or broken? > > > > > > Happy new year! > > Jules > > > > 2009/12/31 Matt Jonkman jonkman at jonkmans.com>> > > > > Thanks Matt! That's great to hear from you! > > > > Look forward to your feedback. > > > > Matt > > > > On 12/31/09 3:42 PM, Matt Olney wrote: > > > Congrats to Matt Jonkman and the team at OISF. It's a big step, > and I > > > look forward to seeing your work (after then new year :)) > > > > > > Matt > > > > > > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman > > > > > >> > wrote: > > > > > > Full Announcement here: > > > http://www.openinfosecfoundation.org/ > > > > > > > > > It's been about three years in the making, but the day has > > finally come! > > > We have the first release of the Suricata Engine! The engine > > is an Open > > > Source Next Generation Intrusion Detection and Prevention > > Tool, not > > > intended to just replace or emulate the existing tools in the > > industry, > > > but to bring new ideas and technologies to the field. > > > > > > The Suricata Engine and the HTP Library are available to use > > under the > > > GPLv2. > > > > > > The HTP Library is an HTTP normalizer and parser written by > > Ivan Ristic > > > of Mod Security fame for the OISF. This integrates and > > provides very > > > advanced processing of HTTP streams for Suricata. The HTP > > library is > > > required by the engine, but may also be used independently in > > a range of > > > applications and tools. > > > > > > This is considered a Beta Release as we are seeking feedback > > from the > > > community. This release has many of the major new features we > > wanted to > > > add to the industry, but certainly not all. We intend to get > > this base > > > engine out and stable, and then continue to add new features. > > We expect > > > several new releases in the month of January culminating in a > > production > > > quality release shortly thereafter. > > > > > > The engine and the HTP Library are available here: > > > > http://www.openinfosecfoundation.org/index.php/download-suricata > > > > > > Please join the oisf-users mailing list to discuss and share > > feedback. > > > The developers will be there ready to help you test. > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > > > > > > > As this is a first release we don't really have a "what's New" > > section > > > because everything is new. But we do have a number of new > > ideas and new > > > concepts to Intrusion Detection to note. Some of those are > > listed below: > > > > > > > > > > > > Multi-Threading > > > Amazing that multi-threading is new to IDS, but it is, and > > we've got it! > > > > > > > > > Automatic Protocol Detection > > > The engine not only has keywords for IP, TCP, UDP and ICMP, > > but also has > > > HTTP, TLS, FTP and SMB! A user can now write a rule to detect > > a match > > > within an HTTP stream for example regardless of the port the > > stream > > > occurs on. This is going to revolutionize malware detection > > and control. > > > Detections for more layer 7 protocols are on the way. > > > > > > > > > Gzip Decompression > > > The HTP Parser will decode Gzip compressed streams, allowing > > much more > > > detailed matching within the engine. > > > > > > > > > Independent HTP Library > > > The HTP Parser will be of great use to many other applications > > such as > > > proxies, filters, etc. The parser is available as a library > > also under > > > GPLv2 for easy integration ito other tools. > > > > > > > > > Standard Input Methods > > > You can use NFQueue, IPFRing, and the standard LibPcap to > capture > > > traffic. IPFW support coming shortly. > > > > > > > > > Unified2 Output > > > You can use your standard output tools and methods with the > > new engine, > > > 100% compatible! > > > > > > > > > Flow Variables > > > It's possible to capture information out of a stream and save > > that in a > > > variable which can then be matched again later. > > > > > > > > > Fast IP Matching > > > The engine will automatically take rules that are IP matches > > only (such > > > as the RBN and compromised IP lists at Emerging Threats) and > > put them > > > into a special fast matching preprocessor. > > > > > > > > > HTTP Log Module > > > All HTTP requests can be automatically output into an > > apache-style log > > > format file. Very useful for monitoring and logging activity > > completely > > > independent of rulesets and matching. Should you need to do so > > you could > > > use the engine only as an HTTP logging sniffer. > > > > > > > > > > > > Coming Very Soon: (Within a few weeks) > > > > > > Global Flow Variables > > > The ability to store more information from a stream or match > > (actual > > > data, not just setting a bit), and storing that information > > for a period > > > of time. This will make comparing values across many streams > > and time > > > possible. > > > > > > > > > Graphics Card Acceleration > > > Using CUDA and OpenCL we will be able to make use of the > massive > > > processing power of even old graphics cards to accelerate your > > IDS. > > > Offloading the very computationally intensive functions of the > > sensor > > > will greatly enhance performance. > > > > > > > > > IP Reputation > > > Hard to summarize in a sentence, but Reputation will allow > > sensors and > > > organizations to share intelligence and eliminate many false > > positives. > > > > > > > > > Windows Binaries > > > As soon as we have a reasonably stable body of code. > > > > > > > > > > > > The list could go on and on. Please take a few minutes to > > download the > > > engine and try it out and let us know what you think. We're not > > > comfortable calling it production ready at the moment until we > > get your > > > feedback, and we have a few features to complete. We really > > need your > > > feedback and input. We intend to put out a series of small > > releases in > > > the two to three weeks to come, and then a production ready > major > > > release shortly thereafter. Phase two of our development plan > > will then > > > begin where we go after some major new features such as IP > > Reputation > > > shortly. > > > > > > http://www.openinfosecfoundation.org > > > > > > > > > ---------------------------------------------------- > > > Matthew Jonkman > > > Emerging Threats > > > Open Information Security Foundation (OISF) > > > Phone 765-429-0398 > > > Fax 312-264-0205 > > > http://www.emergingthreats.net > > > http://www.openinformationsecurityfoundation.org > > > ---------------------------------------------------- > > > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > > ------------------------------------------------------------------------------ > > > This SF.Net email is sponsored by the Verizon Developer > Community > > > Take advantage of Verizon's best-in-class app development > support > > > A streamlined, 14 day to market process makes app distribution > > fast > > > and easy > > > Join now and get one step closer to millions of Verizon > customers > > > http://p.sf.net/sfu/verizon-dev2dev > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users at lists.sourceforge.net > > > > > > > > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users > > > > > Snort-users> list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > > > -- > > > > ---------------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinformationsecurityfoundation.org > > ---------------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100101/12c8f243/attachment-0001.html From jonkman at jonkmans.com Fri Jan 1 15:06:39 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 01 Jan 2010 15:06:39 -0500 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: References: <4B3D0569.4020907@jonkmans.com> <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> <4B3D0D33.7050707@jonkmans.com> <69544300912311649hb70154bk582e51a351d54b6a@mail.gmail.com> <4B3E2674.2060503@jonkmans.com> Message-ID: <4B3E55CF.5040502@jonkmans.com> Look forward to your feedback. IP Reputation will probably be around in february or so. It's a massive undertaking we learned as we tried to implement. It's on the way though! Along with a number of other goodies. Matt On 1/1/10 2:55 PM, Kevin Ross wrote: > Nice, I was looking forward to this :) It seems to have installed > perfectly on my Fedora system and runs fine but I won't get to properly > play with it for a few days. Once the IP reputation stuff appears I may > run this against production traffic on a few of my sensors. Nice work > > 2010/1/1 Matt Jonkman > > > We were slashdotted, which caused massive problems of course. > > Things are all back to normal. You can get code at: > > http://openinfosecfoundation.org/index.php/download-suricata > > Should remain stable. We're still on the front page at slashdot, but the > load is manageable now thankfully. > > Matt > > On 12/31/09 7:49 PM, Jules Pagna Disso wrote: > > HI Matt, > > > > The job done sounds great. It seems as if the download link is not > > active or broken? > > > > > > Happy new year! > > Jules > > > > 2009/12/31 Matt Jonkman >> > > > > Thanks Matt! That's great to hear from you! > > > > Look forward to your feedback. > > > > Matt > > > > On 12/31/09 3:42 PM, Matt Olney wrote: > > > Congrats to Matt Jonkman and the team at OISF. It's a big > step, and I > > > look forward to seeing your work (after then new year :)) > > > > > > Matt > > > > > > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman > > > > > > > > >>> wrote: > > > > > > Full Announcement here: > > > http://www.openinfosecfoundation.org/ > > > > > > > > > It's been about three years in the making, but the day has > > finally come! > > > We have the first release of the Suricata Engine! The engine > > is an Open > > > Source Next Generation Intrusion Detection and Prevention > > Tool, not > > > intended to just replace or emulate the existing tools > in the > > industry, > > > but to bring new ideas and technologies to the field. > > > > > > The Suricata Engine and the HTP Library are available to use > > under the > > > GPLv2. > > > > > > The HTP Library is an HTTP normalizer and parser written by > > Ivan Ristic > > > of Mod Security fame for the OISF. This integrates and > > provides very > > > advanced processing of HTTP streams for Suricata. The HTP > > library is > > > required by the engine, but may also be used > independently in > > a range of > > > applications and tools. > > > > > > This is considered a Beta Release as we are seeking feedback > > from the > > > community. This release has many of the major new > features we > > wanted to > > > add to the industry, but certainly not all. We intend to get > > this base > > > engine out and stable, and then continue to add new > features. > > We expect > > > several new releases in the month of January culminating > in a > > production > > > quality release shortly thereafter. > > > > > > The engine and the HTP Library are available here: > > > > http://www.openinfosecfoundation.org/index.php/download-suricata > > > > > > Please join the oisf-users mailing list to discuss and share > > feedback. > > > The developers will be there ready to help you test. > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > > > > > > > As this is a first release we don't really have a > "what's New" > > section > > > because everything is new. But we do have a number of new > > ideas and new > > > concepts to Intrusion Detection to note. Some of those are > > listed below: > > > > > > > > > > > > Multi-Threading > > > Amazing that multi-threading is new to IDS, but it is, and > > we've got it! > > > > > > > > > Automatic Protocol Detection > > > The engine not only has keywords for IP, TCP, UDP and ICMP, > > but also has > > > HTTP, TLS, FTP and SMB! A user can now write a rule to > detect > > a match > > > within an HTTP stream for example regardless of the port the > > stream > > > occurs on. This is going to revolutionize malware detection > > and control. > > > Detections for more layer 7 protocols are on the way. > > > > > > > > > Gzip Decompression > > > The HTP Parser will decode Gzip compressed streams, allowing > > much more > > > detailed matching within the engine. > > > > > > > > > Independent HTP Library > > > The HTP Parser will be of great use to many other > applications > > such as > > > proxies, filters, etc. The parser is available as a library > > also under > > > GPLv2 for easy integration ito other tools. > > > > > > > > > Standard Input Methods > > > You can use NFQueue, IPFRing, and the standard LibPcap > to capture > > > traffic. IPFW support coming shortly. > > > > > > > > > Unified2 Output > > > You can use your standard output tools and methods with the > > new engine, > > > 100% compatible! > > > > > > > > > Flow Variables > > > It's possible to capture information out of a stream and > save > > that in a > > > variable which can then be matched again later. > > > > > > > > > Fast IP Matching > > > The engine will automatically take rules that are IP matches > > only (such > > > as the RBN and compromised IP lists at Emerging Threats) and > > put them > > > into a special fast matching preprocessor. > > > > > > > > > HTTP Log Module > > > All HTTP requests can be automatically output into an > > apache-style log > > > format file. Very useful for monitoring and logging activity > > completely > > > independent of rulesets and matching. Should you need to > do so > > you could > > > use the engine only as an HTTP logging sniffer. > > > > > > > > > > > > Coming Very Soon: (Within a few weeks) > > > > > > Global Flow Variables > > > The ability to store more information from a stream or match > > (actual > > > data, not just setting a bit), and storing that information > > for a period > > > of time. This will make comparing values across many streams > > and time > > > possible. > > > > > > > > > Graphics Card Acceleration > > > Using CUDA and OpenCL we will be able to make use of the > massive > > > processing power of even old graphics cards to > accelerate your > > IDS. > > > Offloading the very computationally intensive functions > of the > > sensor > > > will greatly enhance performance. > > > > > > > > > IP Reputation > > > Hard to summarize in a sentence, but Reputation will allow > > sensors and > > > organizations to share intelligence and eliminate many false > > positives. > > > > > > > > > Windows Binaries > > > As soon as we have a reasonably stable body of code. > > > > > > > > > > > > The list could go on and on. Please take a few minutes to > > download the > > > engine and try it out and let us know what you think. > We're not > > > comfortable calling it production ready at the moment > until we > > get your > > > feedback, and we have a few features to complete. We really > > need your > > > feedback and input. We intend to put out a series of small > > releases in > > > the two to three weeks to come, and then a production > ready major > > > release shortly thereafter. Phase two of our development > plan > > will then > > > begin where we go after some major new features such as IP > > Reputation > > > shortly. > > > > > > http://www.openinfosecfoundation.org > > > > > > > > > ---------------------------------------------------- > > > Matthew Jonkman > > > Emerging Threats > > > Open Information Security Foundation (OISF) > > > Phone 765-429-0398 > > > Fax 312-264-0205 > > > http://www.emergingthreats.net > > > http://www.openinformationsecurityfoundation.org > > > ---------------------------------------------------- > > > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > > ------------------------------------------------------------------------------ > > > This SF.Net email is sponsored by the Verizon Developer > Community > > > Take advantage of Verizon's best-in-class app > development support > > > A streamlined, 14 day to market process makes app > distribution > > fast > > > and easy > > > Join now and get one step closer to millions of Verizon > customers > > > http://p.sf.net/sfu/verizon-dev2dev > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users at lists.sourceforge.net > > > > > > > > > >> > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users > > > > > Snort-users> list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > > > -- > > > > ---------------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinformationsecurityfoundation.org > > ---------------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Jan 1 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 1 Jan 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100101210013.666B145050@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Jan 1 16:00:13 2010 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (6): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (6): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Fri Jan 1 19:33:27 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 01 Jan 2010 19:33:27 -0500 Subject: [Emerging-Sigs] Suricata Development Message-ID: <4B3E9457.5020400@jonkmans.com> I love all the suricata discussion that's going on, here and on the oisf lists. But I assume many users here may not be interested at this point in the bug chatter and such. So I just wanted to remind users that some talk of it here is good, and I'll keep the announcements of new developments coming to this list. But if you have a serious question or bug report please hop on either the oisf-users or oisf-devel lists available here: http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users There is some good discussion going already! Thanks all and happy new year! Matt ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Sat Jan 2 10:05:09 2010 From: david.glosser at gmail.com (David Glosser) Date: Sat, 2 Jan 2010 10:05:09 -0500 Subject: [Emerging-Sigs] another ip blocklist: ssh brute force ips Message-ID: http://www.sshbl.org/list.txt "The following list (updated every hour) contains IP addresses of hosts who tried to bruteforce into any of currently 5 hosts (all running OpenBSD) who are located in the United States and Germany which are setup to report and log those attempts to a database.... Old entries are currently not deleted from the list, so if you want to use this list to block the listed IPs in any way we recommend to only use the TOP 600 which approx. equals the logs of the last 2 months. The TOP 300 would currently be approx. the last month of reported attacks." From jonkman at jonkmans.com Sat Jan 2 10:16:18 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 02 Jan 2010 10:16:18 -0500 Subject: [Emerging-Sigs] another ip blocklist: ssh brute force ips In-Reply-To: References: Message-ID: <4B3F6342.10804@jonkmans.com> Hmmm, them not aging out is a bit of a concern. I'd hate to keep a host on there for more than 30 days, which could happen on this list... I can look closer into it... Matt On 1/2/10 10:05 AM, David Glosser wrote: > http://www.sshbl.org/list.txt > > "The following list (updated every hour) contains IP addresses of > hosts who tried to bruteforce into any of currently 5 hosts (all > running OpenBSD) who are located in the United States and Germany > which are setup to report and log those attempts to a database.... Old > entries are currently not deleted from the list, so if you want to use > this list to block the listed IPs in any way we recommend to only use > the TOP 600 which approx. equals the logs of the last 2 months. The > TOP 300 would currently be approx. the last month of reported > attacks." > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Jan 2 10:22:43 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 02 Jan 2010 10:22:43 -0500 Subject: [Emerging-Sigs] December Sigs Contest Winner Message-ID: <4B3F64C3.2040201@jonkmans.com> Mike Cox is our winner for the December Signature Contest with 70 signatures this month! (That includes 7 I have yet to commit) Great work Mike! Thanks for your support. We'll get your prizes out to you ASAP! Matt -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mail at mare-system.de Sat Jan 2 10:29:37 2010 From: mail at mare-system.de (mex) Date: Sat, 02 Jan 2010 16:29:37 +0100 Subject: [Emerging-Sigs] another ip blocklist: ssh brute force ips In-Reply-To: <4B3F6342.10804@jonkmans.com> References: <4B3F6342.10804@jonkmans.com> Message-ID: <4B3F6661.6050406@mare-system.de> i'm experimenting with this list and wrote a small script that generates a list of the (100|300|600) recent entries into the list, as stated in the intro at the website; right now the script generates sigs like, very simple; i just have to figure out how an ssh-session is invoked (i'd like to catch the server-response instead of the connection-try) and i think about using fwsam to deny connections to a host for at least 1 hour/day. alert tcp 218.74.116.19 any -> $HOME_NET $SSH_PORTS (msg:"SSHBlacklist SSH-Connection DROP"; flow:to_server,established; classtype:attempted-user; reference:url,www.sshbl.org/; sid:40400003; rev:1;) the sigs are very basic yet. Matt Jonkman wrote: > Hmmm, them not aging out is a bit of a concern. I'd hate to keep a host > on there for more than 30 days, which could happen on this list... > > I can look closer into it... > > Matt > > On 1/2/10 10:05 AM, David Glosser wrote: >> http://www.sshbl.org/list.txt >> >> "The following list (updated every hour) contains IP addresses of >> hosts who tried to bruteforce into any of currently 5 hosts (all >> running OpenBSD) who are located in the United States and Germany >> which are setup to report and log those attempts to a database.... Old >> entries are currently not deleted from the list, so if you want to use >> this list to block the listed IPs in any way we recommend to only use >> the TOP 600 which approx. equals the logs of the last 2 months. The >> TOP 300 would currently be approx. the last month of reported >> attacks." >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From emerging at emergingthreats.net Sat Jan 2 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 2 Jan 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100102210014.1BD214504F@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 2 16:00:14 2010 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (4): 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (16): 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (16): 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Jan 2 18:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 2 Jan 2010 18:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20100102230013.EC3D04504E@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 2 18:00:13 2010 [***] [+++] Added rules: [+++] 210560 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 (emerging-web_client.rules) 2010565 - ET TROJAN Bebloh C&C HTTP POST (emerging-virus.rules) 2010566 - ET CURRENT_EVENTS Zbot update (av_base/pay.php) (emerging-current_events.rules) 2010567 - ET CURRENT_EVENTS Zbot update (av_base/ip.php) (emerging-current_events.rules) 2010568 - ET CURRENT_EVENTS Zbot update (av-i386-daily.zip) (emerging-current_events.rules) 2010569 - ET TROJAN Trojan Downloader Win32/Small.CBA download (emerging-virus.rules) 2010570 - ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) (emerging-policy.rules) 2010571 - ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) (emerging-policy.rules) 2010572 - ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) (emerging-policy.rules) 2010573 - ET POLICY Possible Reference to Terrorist Literature (Knights under the...) (emerging-policy.rules) 2010574 - ET POLICY Possible Reference to Terrorist Literature (Jihad against...) (emerging-policy.rules) 2010575 - ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) (emerging-policy.rules) 2010576 - ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) (emerging-policy.rules) 2010577 - ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) (emerging-policy.rules) 2010578 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) (emerging-policy.rules) 2010579 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) (emerging-policy.rules) 2010580 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) (emerging-policy.rules) 2010581 - ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP (emerging-policy.rules) 2010582 - ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP (emerging-policy.rules) 2010583 - ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP (emerging-policy.rules) 2010584 - ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP (emerging-policy.rules) 2010585 - ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP (emerging-policy.rules) 2010586 - ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP (emerging-policy.rules) 2010587 - ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP (emerging-policy.rules) 2010588 - ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP (emerging-policy.rules) 2010589 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP (emerging-policy.rules) 2010590 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP (emerging-policy.rules) 2010591 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) SMTP (emerging-policy.rules) 2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) (emerging-web_server.rules) 2010593 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) (emerging-web_server.rules) 2010594 - ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) (emerging-virus.rules) 2010595 - ET USER_AGENTS Suspicious User Agent (???) (emerging-user_agents.rules) 2010596 - ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served) (emerging-virus.rules) 2010597 - ET TROJAN Potential FakeAV HTTP GET Check-IN (/check) (emerging-virus.rules) 2010598 - ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) (emerging-virus.rules) 2010599 - ET USER_AGENTS Suspicious User Agent Mozilla/3.0 (emerging-user_agents.rules) 2010600 - ET USER_AGENTS Suspicious User Agent WebUpdate (emerging-user_agents.rules) 2010601 - ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt (emerging-web_specific_apps.rules) 2010602 - ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt (emerging-web_specific_apps.rules) 2010603 - ET TROJAN Win32 Dialer Variant checkin (id_site) (emerging-virus.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) [///] Modified active rules: [///] 2010555 - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010556 - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010557 - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010558 - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010559 - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010561 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 (emerging-web_client.rules) 2010562 - ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 (emerging-web_client.rules) 2010563 - ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 (emerging-web_client.rules) 2010564 - ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic (group 22) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic (group 23) (emerging-botcc.rules) 2404023 - ET DROP Known Bot C&C Server Traffic (group 24) (emerging-botcc.rules) 2404024 - ET DROP Known Bot C&C Server Traffic (group 25) (emerging-botcc.rules) 2404025 - ET DROP Known Bot C&C Server Traffic (group 26) (emerging-botcc.rules) 2404026 - ET DROP Known Bot C&C Server Traffic (group 27) (emerging-botcc.rules) 2404027 - ET DROP Known Bot C&C Server Traffic (group 28) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405024 - ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405025 - ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405026 - ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405027 - ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [---] Removed rules: [---] 2001886 - ET MALWARE ToolbarPartner Spyware Install (emerging-malware.rules) 2001887 - ET MALWARE ToolbarPartner Spyware Activity (1) (emerging-malware.rules) 2001888 - ET MALWARE ToolbarPartner Spyware Activity (2) (emerging-malware.rules) 2001889 - ET MALWARE ToolbarPartner Spyware Jeemp Trojan Download (emerging-malware.rules) 2001892 - ET MALWARE ToolbarPartner Spyware Agent Download (2) (emerging-malware.rules) 2001893 - ET MALWARE ToolbarPartner Spyware Agent Reporting Install (emerging-malware.rules) 2001894 - ET MALWARE ToolbarPartner Spyware Agent Partner Install (emerging-malware.rules) 21010560 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 (emerging-web_client.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-botcc-BLOCK.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-botcc.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-current_events.rules (2): # Copyright (c) 2003-2010, Emerging Threats #by jerry -> Added to emerging-dos.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-drop-BLOCK.rules (3): # Copyright (c) 2003-2010, Emerging Threats # VERSION 1771 # Generated 2010-01-02 00:03:01 EDT -> Added to emerging-drop.rules (3): # Copyright (c) 2003-2010, Emerging Threats # VERSION 1771 # Generated 2010-01-02 00:03:01 EDT -> Added to emerging-dshield-BLOCK.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-dshield.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-exploit.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-game.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-inappropriate.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-malware.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-p2p.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-policy.rules (3): # Copyright (c) 2003-2010, Emerging Threats #by jim #These will false positive a LOT, but use them if you need them. They should be useful. -> Added to emerging-scan.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-sid-msg.map (51): 210560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010555 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010555 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010556 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010556 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010557 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010557 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010558 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010558 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010559 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010559 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010561 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010561 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010562 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010562 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010563 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010563 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010564 || ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Sisplet || url,doc.emergingthreats.net/2010564 || bugtraq,23334 2010565 || ET TROJAN Bebloh C&C HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2010565 2010566 || ET CURRENT_EVENTS Zbot update (av_base/pay.php) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010566 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010567 || ET CURRENT_EVENTS Zbot update (av_base/ip.php) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010567 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010568 || ET CURRENT_EVENTS Zbot update (av-i386-daily.zip) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010565 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010569 || ET TROJAN Trojan Downloader Win32/Small.CBA download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2010569 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177 2010570 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010570 2010571 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010571 2010572 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010572 2010573 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010573 2010574 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010574 2010575 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010575 2010576 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010576 2010577 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010577 2010578 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010578 2010579 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010579 2010580 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010580 2010581 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010581 2010582 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010582 2010583 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010583 2010584 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010584 2010585 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010585 2010586 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010586 2010587 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010587 2010588 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010588 2010589 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010589 2010590 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010590 2010591 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010591 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info 2010594 || ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010594 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010595 || ET USER_AGENTS Suspicious User Agent (???) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010595 2010596 || ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1 || url,doc.emergingthreats.net/2010596 || url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on || url,www.malwaredomainlist.com 2010597 || ET TROJAN Potential FakeAV HTTP GET Check-IN (/check) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010597 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010598 || ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010598 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010599 || ET USER_AGENTS Suspicious User Agent Mozilla/3.0 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010599 2010600 || ET USER_AGENTS Suspicious User Agent WebUpdate || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010600 2010601 || ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_35mmSlideGallery || url,doc.emergingthreats.net/2010601 || url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt 2010602 || ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClarkConnect || url,doc.emergingthreats.net/2010602 || url,www.securityfocus.com/bid/37446/info 2010603 || ET TROJAN Win32 Dialer Variant checkin (id_site) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010603 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-sid-msg.map.txt (51): 210560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010555 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010555 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010556 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010556 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010557 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010557 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010558 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010558 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010559 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010559 || url,secunia.com/advisories/37535/ || bugtraq,37178 2010561 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010561 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010562 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010562 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010563 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/2010563 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010564 || ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Sisplet || url,doc.emergingthreats.net/2010564 || bugtraq,23334 2010565 || ET TROJAN Bebloh C&C HTTP POST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh || url,doc.emergingthreats.net/2010565 2010566 || ET CURRENT_EVENTS Zbot update (av_base/pay.php) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010566 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010567 || ET CURRENT_EVENTS Zbot update (av_base/ip.php) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010567 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010568 || ET CURRENT_EVENTS Zbot update (av-i386-daily.zip) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus || url,doc.emergingthreats.net/2010565 || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c 2010569 || ET TROJAN Trojan Downloader Win32/Small.CBA download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General || url,doc.emergingthreats.net/2010569 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177 2010570 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010570 2010571 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010571 2010572 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010572 2010573 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010573 2010574 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010574 2010575 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010575 2010576 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010576 2010577 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010577 2010578 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010578 2010579 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010579 2010580 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010580 2010581 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010581 2010582 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010582 2010583 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010583 2010584 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010584 2010585 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010585 2010586 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010586 2010587 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010587 2010588 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010588 2010589 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010589 2010590 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010590 2010591 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) SMTP || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature || url,doc.emergingthreats.net/2010591 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info 2010594 || ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010594 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010595 || ET USER_AGENTS Suspicious User Agent (???) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010595 2010596 || ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Trest1 || url,doc.emergingthreats.net/2010596 || url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on || url,www.malwaredomainlist.com 2010597 || ET TROJAN Potential FakeAV HTTP GET Check-IN (/check) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010597 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010598 || ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010598 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 2010599 || ET USER_AGENTS Suspicious User Agent Mozilla/3.0 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010599 2010600 || ET USER_AGENTS Suspicious User Agent WebUpdate || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010600 2010601 || ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_35mmSlideGallery || url,doc.emergingthreats.net/2010601 || url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt 2010602 || ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClarkConnect || url,doc.emergingthreats.net/2010602 || url,www.securityfocus.com/bid/37446/info 2010603 || ET TROJAN Win32 Dialer Variant checkin (id_site) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers || url,doc.emergingthreats.net/2010603 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-user_agents.rules (2): # Copyright (c) 2003-2010, Emerging Threats #by jerry -> Added to emerging-virus.rules (3): # Copyright (c) 2003-2010, Emerging Threats #by pedro and jerry #by jerry -> Added to emerging-voip.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-web.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-web_client.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-web_server.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging-web_specific_apps.rules (2): # Copyright (c) 2003-2010, Emerging Threats #by Mike Cox -> Added to emerging-web_sql_injection.rules (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging.conf (1): # Copyright (c) 2003-2010, Emerging Threats -> Added to emerging.rules (1): # Copyright (c) 2003-2010, Emerging Threats [---] Removed non-rule lines: [---] -> Removed from emerging-attack_response.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-botcc-BLOCK.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-botcc.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-current_events.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-dos.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-drop-BLOCK.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 1764 # Generated 2009-12-26 00:03:02 EDT -> Removed from emerging-drop.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 1764 # Generated 2009-12-26 00:03:02 EDT -> Removed from emerging-dshield-BLOCK.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-dshield.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-exploit.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-game.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-inappropriate.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-malware.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-p2p.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-policy.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-scan.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-sid-msg.map (73): 2001886 || ET MALWARE ToolbarPartner Spyware Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001886 || url,toolbarpartner.com 2001887 || ET MALWARE ToolbarPartner Spyware Activity (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001887 || url,toolbarpartner.com 2001888 || ET MALWARE ToolbarPartner Spyware Activity (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001888 || url,toolbarpartner.com 2001889 || ET MALWARE ToolbarPartner Spyware Jeemp Trojan Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001889 || url,toolbarpartner.com 2001892 || ET MALWARE ToolbarPartner Spyware Agent Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001892 || url,toolbarpartner.com 2001893 || ET MALWARE ToolbarPartner Spyware Agent Reporting Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001893 || url,toolbarpartner.com 2001894 || ET MALWARE ToolbarPartner Spyware Agent Partner Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001894 || url,toolbarpartner.com 2010555 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010556 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010557 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010558 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010559 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010561 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010562 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010563 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010564 || ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt || bugtraq,23334 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 21010560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb -> Removed from emerging-sid-msg.map.txt (73): 2001886 || ET MALWARE ToolbarPartner Spyware Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001886 || url,toolbarpartner.com 2001887 || ET MALWARE ToolbarPartner Spyware Activity (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001887 || url,toolbarpartner.com 2001888 || ET MALWARE ToolbarPartner Spyware Activity (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001888 || url,toolbarpartner.com 2001889 || ET MALWARE ToolbarPartner Spyware Jeemp Trojan Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001889 || url,toolbarpartner.com 2001892 || ET MALWARE ToolbarPartner Spyware Agent Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001892 || url,toolbarpartner.com 2001893 || ET MALWARE ToolbarPartner Spyware Agent Reporting Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001893 || url,toolbarpartner.com 2001894 || ET MALWARE ToolbarPartner Spyware Agent Partner Install || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner || url,doc.emergingthreats.net/bin/view/Main/2001894 || url,toolbarpartner.com 2010555 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010556 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010557 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010558 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010559 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/37535/ || bugtraq,37178 2010561 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010562 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010563 || ET WEB_CLIENT Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010564 || ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt || bugtraq,23334 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 21010560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb -> Removed from emerging-user_agents.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-virus.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-voip.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-web.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-web_client.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-web_server.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-web_specific_apps.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging-web_sql_injection.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging.conf (1): # Copyright (c) 2003-2009, Emerging Threats -> Removed from emerging.rules (1): # Copyright (c) 2003-2009, Emerging Threats From spooker at gmail.com Sat Jan 2 19:31:17 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Sat, 2 Jan 2010 22:31:17 -0200 Subject: [Emerging-Sigs] [Snort-users] Suricata IDS Available for Download! In-Reply-To: <4B3E55CF.5040502@jonkmans.com> References: <4B3D0569.4020907@jonkmans.com> <77e259cc0912311242r28de2ab9vcd0bb8331458df09@mail.gmail.com> <4B3D0D33.7050707@jonkmans.com> <69544300912311649hb70154bk582e51a351d54b6a@mail.gmail.com> <4B3E2674.2060503@jonkmans.com> <4B3E55CF.5040502@jonkmans.com> Message-ID: <9255886c1001021631y61513a64i2c66ad5427da7af7@mail.gmail.com> Nice subject to read after small vacation! I'll try some tests during this week . I'm sure that project will be awesome for open source and security community =) Congrats!! On Fri, Jan 1, 2010 at 6:06 PM, Matt Jonkman wrote: > Look forward to your feedback. > > IP Reputation will probably be around in february or so. It's a massive > undertaking we learned as we tried to implement. It's on the way though! > Along with a number of other goodies. > > Matt > > On 1/1/10 2:55 PM, Kevin Ross wrote: >> Nice, I was looking forward to this :) It seems to have installed >> perfectly on my Fedora system and runs fine but I won't get to properly >> play with it for a few days. Once the IP reputation stuff appears I may >> run this against production traffic on a few of my sensors. Nice work >> >> 2010/1/1 Matt Jonkman > >> >> ? ? We were slashdotted, which caused massive problems of course. >> >> ? ? Things are all back to normal. You can get code at: >> >> ? ? http://openinfosecfoundation.org/index.php/download-suricata >> >> ? ? Should remain stable. We're still on the front page at slashdot, but the >> ? ? load is manageable now thankfully. >> >> ? ? Matt >> >> ? ? On 12/31/09 7:49 PM, Jules Pagna Disso wrote: >> ? ? > HI Matt, >> ? ? > >> ? ? > The job done sounds great. It seems as if the download link is not >> ? ? > active or broken? >> ? ? > >> ? ? > >> ? ? > Happy new year! >> ? ? > Jules >> ? ? > >> ? ? > 2009/12/31 Matt Jonkman > ? ? > ? ? >> >> ? ? > >> ? ? > ? ? Thanks Matt! That's great to hear from you! >> ? ? > >> ? ? > ? ? Look forward to your feedback. >> ? ? > >> ? ? > ? ? Matt >> ? ? > >> ? ? > ? ? On 12/31/09 3:42 PM, Matt Olney wrote: >> ? ? > ? ? > Congrats to Matt Jonkman and the team at OISF. ?It's a big >> ? ? step, and I >> ? ? > ? ? > look forward to seeing your work (after then new year :)) >> ? ? > ? ? > >> ? ? > ? ? > Matt >> ? ? > ? ? > >> ? ? > ? ? > On Thu, Dec 31, 2009 at 3:11 PM, Matt Jonkman >> ? ? > ? ? >> ? ? > >> ? ? > ? ? > >> ? ? >>> wrote: >> ? ? > ? ? > >> ? ? > ? ? > ? ? Full Announcement here: >> ? ? > ? ? > ? ? http://www.openinfosecfoundation.org/ >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? It's been about three years in the making, but the day has >> ? ? > ? ? finally come! >> ? ? > ? ? > ? ? We have the first release of the Suricata Engine! The engine >> ? ? > ? ? is an Open >> ? ? > ? ? > ? ? Source Next Generation Intrusion Detection and Prevention >> ? ? > ? ? Tool, not >> ? ? > ? ? > ? ? intended to just replace or emulate the existing tools >> ? ? in the >> ? ? > ? ? industry, >> ? ? > ? ? > ? ? but to bring new ideas and technologies to the field. >> ? ? > ? ? > >> ? ? > ? ? > ? ? The Suricata Engine and the HTP Library are available to use >> ? ? > ? ? under the >> ? ? > ? ? > ? ? GPLv2. >> ? ? > ? ? > >> ? ? > ? ? > ? ? The HTP Library is an HTTP normalizer and parser written by >> ? ? > ? ? Ivan Ristic >> ? ? > ? ? > ? ? of Mod Security fame for the OISF. This integrates and >> ? ? > ? ? provides very >> ? ? > ? ? > ? ? advanced processing of HTTP streams for Suricata. The HTP >> ? ? > ? ? library is >> ? ? > ? ? > ? ? required by the engine, but may also be used >> ? ? independently in >> ? ? > ? ? a range of >> ? ? > ? ? > ? ? applications and tools. >> ? ? > ? ? > >> ? ? > ? ? > ? ? This is considered a Beta Release as we are seeking feedback >> ? ? > ? ? from the >> ? ? > ? ? > ? ? community. This release has many of the major new >> ? ? features we >> ? ? > ? ? wanted to >> ? ? > ? ? > ? ? add to the industry, but certainly not all. We intend to get >> ? ? > ? ? this base >> ? ? > ? ? > ? ? engine out and stable, and then continue to add new >> ? ? features. >> ? ? > ? ? We expect >> ? ? > ? ? > ? ? several new releases in the month of January culminating >> ? ? in a >> ? ? > ? ? production >> ? ? > ? ? > ? ? quality release shortly thereafter. >> ? ? > ? ? > >> ? ? > ? ? > ? ? The engine and the HTP Library are available here: >> ? ? > ? ? > >> ? ? http://www.openinfosecfoundation.org/index.php/download-suricata >> ? ? > ? ? > >> ? ? > ? ? > ? ? Please join the oisf-users mailing list to discuss and share >> ? ? > ? ? feedback. >> ? ? > ? ? > ? ? The developers will be there ready to help you test. >> ? ? > ? ? > >> ? ? http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? As this is a first release we don't really have a >> ? ? "what's New" >> ? ? > ? ? section >> ? ? > ? ? > ? ? because everything is new. But we do have a number of new >> ? ? > ? ? ideas and new >> ? ? > ? ? > ? ? concepts to Intrusion Detection to note. Some of those are >> ? ? > ? ? listed below: >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Multi-Threading >> ? ? > ? ? > ? ? Amazing that multi-threading is new to IDS, but it is, and >> ? ? > ? ? we've got it! >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Automatic Protocol Detection >> ? ? > ? ? > ? ? The engine not only has keywords for IP, TCP, UDP and ICMP, >> ? ? > ? ? but also has >> ? ? > ? ? > ? ? HTTP, TLS, FTP and SMB! A user can now write a rule to >> ? ? detect >> ? ? > ? ? a match >> ? ? > ? ? > ? ? within an HTTP stream for example regardless of the port the >> ? ? > ? ? stream >> ? ? > ? ? > ? ? occurs on. This is going to revolutionize malware detection >> ? ? > ? ? and control. >> ? ? > ? ? > ? ? Detections for more layer 7 protocols are on the way. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Gzip Decompression >> ? ? > ? ? > ? ? The HTP Parser will decode Gzip compressed streams, allowing >> ? ? > ? ? much more >> ? ? > ? ? > ? ? detailed matching within the engine. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Independent HTP Library >> ? ? > ? ? > ? ? The HTP Parser will be of great use to many other >> ? ? applications >> ? ? > ? ? such as >> ? ? > ? ? > ? ? proxies, filters, etc. The parser is available as a library >> ? ? > ? ? also under >> ? ? > ? ? > ? ? GPLv2 for easy integration ito other tools. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Standard Input Methods >> ? ? > ? ? > ? ? You can use NFQueue, IPFRing, and the standard LibPcap >> ? ? to capture >> ? ? > ? ? > ? ? traffic. IPFW support coming shortly. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Unified2 Output >> ? ? > ? ? > ? ? You can use your standard output tools and methods with the >> ? ? > ? ? new engine, >> ? ? > ? ? > ? ? 100% compatible! >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Flow Variables >> ? ? > ? ? > ? ? It's possible to capture information out of a stream and >> ? ? save >> ? ? > ? ? that in a >> ? ? > ? ? > ? ? variable which can then be matched again later. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Fast IP Matching >> ? ? > ? ? > ? ? The engine will automatically take rules that are IP matches >> ? ? > ? ? only (such >> ? ? > ? ? > ? ? as the RBN and compromised IP lists at Emerging Threats) and >> ? ? > ? ? put them >> ? ? > ? ? > ? ? into a special fast matching preprocessor. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? HTTP Log Module >> ? ? > ? ? > ? ? All HTTP requests can be automatically output into an >> ? ? > ? ? apache-style log >> ? ? > ? ? > ? ? format file. Very useful for monitoring and logging activity >> ? ? > ? ? completely >> ? ? > ? ? > ? ? independent of rulesets and matching. Should you need to >> ? ? do so >> ? ? > ? ? you could >> ? ? > ? ? > ? ? use the engine only as an HTTP logging sniffer. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Coming Very Soon: (Within a few weeks) >> ? ? > ? ? > >> ? ? > ? ? > ? ? Global Flow Variables >> ? ? > ? ? > ? ? The ability to store more information from a stream or match >> ? ? > ? ? (actual >> ? ? > ? ? > ? ? data, not just setting a bit), and storing that information >> ? ? > ? ? for a period >> ? ? > ? ? > ? ? of time. This will make comparing values across many streams >> ? ? > ? ? and time >> ? ? > ? ? > ? ? possible. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Graphics Card Acceleration >> ? ? > ? ? > ? ? Using CUDA and OpenCL we will be able to make use of the >> ? ? massive >> ? ? > ? ? > ? ? processing power of even old graphics cards to >> ? ? accelerate your >> ? ? > ? ? IDS. >> ? ? > ? ? > ? ? Offloading the very computationally intensive functions >> ? ? of the >> ? ? > ? ? sensor >> ? ? > ? ? > ? ? will greatly enhance performance. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? IP Reputation >> ? ? > ? ? > ? ? Hard to summarize in a sentence, but Reputation will allow >> ? ? > ? ? sensors and >> ? ? > ? ? > ? ? organizations to share intelligence and eliminate many false >> ? ? > ? ? positives. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? Windows Binaries >> ? ? > ? ? > ? ? As soon as we have a reasonably stable body of code. >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? The list could go on and on. Please take a few minutes to >> ? ? > ? ? download the >> ? ? > ? ? > ? ? engine and try it out and let us know what you think. >> ? ? We're not >> ? ? > ? ? > ? ? comfortable calling it production ready at the moment >> ? ? until we >> ? ? > ? ? get your >> ? ? > ? ? > ? ? feedback, and we have a few features to complete. We really >> ? ? > ? ? need your >> ? ? > ? ? > ? ? feedback and input. We intend to put out a series of small >> ? ? > ? ? releases in >> ? ? > ? ? > ? ? the two to three weeks to come, and then a production >> ? ? ready major >> ? ? > ? ? > ? ? release shortly thereafter. Phase two of our development >> ? ? plan >> ? ? > ? ? will then >> ? ? > ? ? > ? ? begin where we go after some major new features such as IP >> ? ? > ? ? Reputation >> ? ? > ? ? > ? ? shortly. >> ? ? > ? ? > >> ? ? > ? ? > ? ? http://www.openinfosecfoundation.org >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > ? ? > ? ? ---------------------------------------------------- >> ? ? > ? ? > ? ? Matthew Jonkman >> ? ? > ? ? > ? ? Emerging Threats >> ? ? > ? ? > ? ? Open Information Security Foundation (OISF) >> ? ? > ? ? > ? ? Phone 765-429-0398 >> ? ? > ? ? > ? ? Fax 312-264-0205 >> ? ? > ? ? > ? ? http://www.emergingthreats.net >> ? ? > ? ? > ? ? http://www.openinformationsecurityfoundation.org >> ? ? > ? ? > ? ? ---------------------------------------------------- >> ? ? > ? ? > >> ? ? > ? ? > ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > >> ? ? ------------------------------------------------------------------------------ >> ? ? > ? ? > ? ? This SF.Net email is sponsored by the Verizon Developer >> ? ? Community >> ? ? > ? ? > ? ? Take advantage of Verizon's best-in-class app >> ? ? development support >> ? ? > ? ? > ? ? A streamlined, 14 day to market process makes app >> ? ? distribution >> ? ? > ? ? fast >> ? ? > ? ? > ? ? and easy >> ? ? > ? ? > ? ? Join now and get one step closer to millions of Verizon >> ? ? customers >> ? ? > ? ? > ? ? http://p.sf.net/sfu/verizon-dev2dev >> ? ? > ? ? > ? ? _______________________________________________ >> ? ? > ? ? > ? ? Snort-users mailing list >> ? ? > ? ? > ? ? Snort-users at lists.sourceforge.net >> ? ? >> ? ? > ? ? > ? ? > >> ? ? > ? ? > ? ? > ? ? >> ? ? > ? ? > ? ? >> >> ? ? > ? ? > ? ? Go to this URL to change user options or unsubscribe: >> ? ? > ? ? > ? ? https://lists.sourceforge.net/lists/listinfo/snort-users >> ? ? > ? ? > ? ? Snort-users >> ? ? > ? ? > ? ? > ? ? > ? ? > ? ? Snort-users> list archive: >> ? ? > ? ? > ? ? http://www.geocrawler.com/redir-sf.php3?list=snort-users >> ? ? > ? ? > >> ? ? > ? ? > >> ? ? > >> ? ? > ? ? -- >> ? ? > >> ? ? > ? ? ---------------------------------------------------- >> ? ? > ? ? Matthew Jonkman >> ? ? > ? ? Emerging Threats >> ? ? > ? ? Open Information Security Foundation (OISF) >> ? ? > ? ? Phone 765-429-0398 >> ? ? > ? ? Fax 312-264-0205 >> ? ? > ? ? http://www.emergingthreats.net >> ? ? > ? ? http://www.openinformationsecurityfoundation.org >> ? ? > ? ? ---------------------------------------------------- >> ? ? > >> ? ? > ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >> ? ? > ? ? _______________________________________________ >> ? ? > ? ? Emerging-sigs mailing list >> ? ? > ? ? Emerging-sigs at emergingthreats.net >> ? ? >> ? ? > ? ? > ? ? > >> ? ? > ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> ? ? > >> ? ? > >> >> ? ? -- >> >> ? ? ---------------------------------------------------- >> ? ? Matthew Jonkman >> ? ? Emerging Threats >> ? ? Open Information Security Foundation (OISF) >> ? ? Phone 765-429-0398 >> ? ? Fax 312-264-0205 >> ? ? http://www.emergingthreats.net >> ? ? http://www.openinformationsecurityfoundation.org >> ? ? ---------------------------------------------------- >> >> ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >> ? ? _______________________________________________ >> ? ? Emerging-sigs mailing list >> ? ? Emerging-sigs at emergingthreats.net >> ? ? >> ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From emerging at emergingthreats.net Sun Jan 3 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 3 Jan 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100103210013.E16C045050@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Jan 3 16:00:13 2010 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org From jonkman at jonkmans.com Mon Jan 4 10:43:49 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Jan 2010 10:43:49 -0500 Subject: [Emerging-Sigs] ET WEB_SPECIFIC_APPS rules (multiple SQLi + LFI) In-Reply-To: <6116b9e20912311305l2c6beca8gc1b0bc3768f6738e@mail.gmail.com> References: <6116b9e20912311305l2c6beca8gc1b0bc3768f6738e@mail.gmail.com> Message-ID: <4B420CB5.5060702@jonkmans.com> Posted, thanks! On 12/31/09 4:05 PM, Mike Cox wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL > Injection Attempt"; flow:established,to_server; > uricontent:"/Script/store_info.php?"; nocase; uricontent:"id="; nocase; > pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37541/info > ; sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection > Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; > uricontent:"option=com_viewfulllisting"; nocase; > uricontent:"listing_id="; nocase; > pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt > ; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection > Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; > uricontent:"option=com_kkcontent"; nocase; uricontent:"catID="; nocase; > pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt > ; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL > Injection Attempt"; flow:established,to_server; > uricontent:"/dictionary/detail.php?"; nocase; uricontent:"id="; nocase; > pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt > ; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL > Injection Attempt"; flow:established,to_server; > uricontent:"/gallery_show.asp?"; nocase; uricontent:"GID="; nocase; > pcre:"/(\?|&)GID=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt > ; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; > flow:established,to_server; uricontent:"/knowledgebase.php?"; nocase; > uricontent:"act=art"; nocase; uricontent:"article_id="; nocase; > pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/iU"; > classtype:web-application-attack; > reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt > ; > sid:2010xxx; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt"; > flow:established,to_server; uricontent:"/modules/admincp.php?"; nocase; > uricontent:"admin="; nocase; > pcre:"/(\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E)/iU"; > classtype:web-application-attack; > reference:url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt > ; sid:2010xxx; > rev:1;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Mon Jan 4 10:44:06 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 4 Jan 2010 09:44:06 -0600 Subject: [Emerging-Sigs] FakeAV Landing Page, updated Message-ID: <4B420CC6.3020301@packetmail.net> Seeing this new trend on FakeAV landing pages, suggest adding new signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - FakeAV Landing Page (aid,sid)"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".php?aid="; nocase; uricontent:"&sid="; nocase; pcre:"/[a-z]\.php\?aid=\d+&sid=[a-z0-9]$/Ui"; classtype:trojan-activity; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; sid:2010xxx; rev:1;) I'll take a better reference URL if someone has one, this signature is from traffic observed on the wire. Note the lack of HTTP Referer. From jonkman at jonkmans.com Mon Jan 4 10:54:51 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Jan 2010 10:54:51 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec - 31 - 2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294B@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294B@webmail.latis.com> Message-ID: <4B420F4B.9010301@jonkmans.com> Posted, thanks! Matt On 12/31/09 2:04 AM, signatures wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; > flow:established,to_client; content:"clsid"; nocase; > content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; > content:"DisplayName"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/archive/1/507948 > ; sid:9655; rev:1;) > > *2. **WEB-ATTACKS HP Openview NNM ActiveX AddGroup method Memory > corruption Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; > flow:established,to_client; content:"clsid"; nocase; > content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; > content:"AddGroup"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/archive/1/507948 > ; sid:9656; rev:1;) > > *3. **WEB-ATTACKS HP Openview NNM ActiveX InstallComponent method > Memory corruption Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Openview NNM ActiveX InstallComponent method Memory corruption > Attempt"; flow:established,to_client; content:"clsid"; nocase; > content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; > content:"InstallComponent"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/archive/1/507948 > ; sid:9657; rev:1;) > > *4. **WEB-ATTACKS HP Openview NNM ActiveX Subscribe method Memory > corruption Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; > flow:established,to_client; content:"clsid"; nocase; > content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; > content:"Subscribe"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; > classtype:web-application-attack; > reference:url,www.securityfocus.com/archive/1/507948 > ; sid:9658; rev:1;) > > *5. **WEB-PHP phpBMS invoices_discount_ajax.php id Parameter > SELECT FROM SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; > uricontent:"id="; nocase; uricontent:"SELECT"; nocase; > uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59194; > reference:url,xforce.iss.net/xforce/xfdb/51650; sid:9616; rev:1;) > > *6. **WEB-PHP phpBMS invoices_discount_ajax.php id Parameter > DELETE FROM SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; > uricontent:"id="; nocase; uricontent:"DELETE"; nocase; > uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59194; > reference:url,xforce.iss.net/xforce/xfdb/51650; sid:9617; rev:1;) > > *7. **WEB-PHP phpBMS invoices_discount_ajax.php id Parameter UNION > SELECT SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL > Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; > uricontent:"id="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59194; > reference:url,xforce.iss.net/xforce/xfdb/51650; sid:9618; rev:1;) > > *8. **WEB-PHP phpBMS invoices_discount_ajax.php id Parameter > INSERT INTO SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; > uricontent:"id="; nocase; uricontent:"INSERT"; nocase; > uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59194; > reference:url,xforce.iss.net/xforce/xfdb/51650; sid:9619; rev:1;) > > *9. **WEB-PHP phpBMS invoices_discount_ajax.php id Parameter > UPDATE SET SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; > uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; > nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/59194; > reference:url,xforce.iss.net/xforce/xfdb/51650; sid:9620; rev:1;) > > *10. **WEB-PHP Mamboleto Joomla component mamboleto.php Remote File > Inclusion Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; > uricontent:"mosConfig_absolute_path="; nocase; > pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,xforce.iss.net/xforce/xfdb/54662; > reference:url,www.exploit-db.com/exploits/10369 > ; sid:9766; rev:1;) > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Jan 4 11:07:37 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Jan 2010 11:07:37 -0500 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B3A5714.2060402@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> Message-ID: <4B421249.1040002@jonkmans.com> Now that everyone's back in the office I wanted to bring this back up. 1. Do we have any volunteers wiling to sit on a panel to rate sigs and their scores averaged 2. Is this worth doing? 3. What criteria should we use to rate? Hope everyone's holidays were good! Matt On 12/29/09 2:23 PM, Matt Jonkman wrote: > Hey David. I remember when you proposed this originally and I was > thinking it might just be overkill for the contest then, but I didn't > totally understand what you meant. I do now much more. So in the last 6 > months of the sig contest I think we've learned: > > 1. Geeks will do anything for a tshirt! (we already knew that, but > apparently endless hours of thankless research also are up for grabs) > > 2. I really like the ongoing recognition the leaderboard gives > contributors. I know everyone's not in this for glory, but it makes me > feel better to have that return available to contributors. Hopefully > good numbers up there might help a person get a good job one day. > > 3. The contest inspired a lot of talk, thought, and innovation. It > really spurred submissions, I could barely keep up some months! > > > So the contest is valuable I think for a lot of reasons. We need to keep > it, but I think your (David's) suggestion is a very good one to improve > the contest. > > It would mean more work for me, which I'm more than willing to work > hard, but I am approaching bandwidth saturation with ET, OISF (which > we're releasing code in 2 days!!!), and the rest of life. And oh ya, > making a living in there somewhere. :) And kids, I'm pretty sure I have > kids around here somewhere... > > So let me suggest this: I keep putting up the sigs as we do now, they > keep coming in the same way. But we set up a committee of 3 or 4 > volunteers that score the submissions, either daily or weekly. > > We can discuss the exact algorithm later if the above suggestion is > palatable. But that way I can keep the sigs flowing smoothly, and the > signature contest can offer more reward based on innovation and speed of > work. I do appreciate the sigs we've had to date, but this might > encourage people to tackle the more difficult problems that might mean > one sig, but a very high score, vs 20 joomla sigs. > > I'd also suggest that we move this to maybe a quarterly award, or at > least every other month. If we have fewer awards, and since we're > definitely seeing the value of the contest, I think I could poll some of > our sponsors and companies that rely on the ruleset to chip in some more > substantial prizes (yes I'll still keep getting the tshirts too though!). > > What does everyone think about that? The 2 suggestions: > > 1. A value based scoring system run by disinterested committee > > 2. Getting some sponsors to chip in substantial prizes > > Matt > > On 12/29/09 1:44 PM, David.R.Wharton at regions.com wrote: >> Agreed that the contest has resulted in an increase in quantity but an >> overall decrease in quality/usefulness (not that they are not useful, just >> not so much on average). That is why back in July I proposed a scoring >> algorithm to encourage people to write rules for new vulnerabilities and >> the latest malware. What are people's thoughts on this scoring method: >> >> 0day: 4 points >> Within 24 hours of vulnerability disclosure: 3 points >> Within a week of vulnerability disclosure: 2 points >> Generic signature: 3 points >> Malware: 2.5 x log(percentage of VirusTotal non-detections + 10) points >> (log is base 10 and points round to the nearest integer) >> Web app specific: always 1 point unless it is for "popular" software >> (Apache, IIS, PHP, etc.) and in that case normal scoring rules apply. The >> definition of "popular" software is currently undefined. >> Joomla or XSS: 0.25 points (just kidding) >> >> Of course, this would probably mean more work for Matt.... >> >> -David >> >> >> >> >> From: >> Matt Jonkman >> To: >> "evilghost at packetmail.net" >> Cc: >> "emerging-sigs at emergingthreats.net" >> Date: >> 12/29/2009 10:40 AM >> Subject: >> Re: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory >> Traversal >> Sent by: >> emerging-sigs-bounces at emergingthreats.net >> >> >> >> There have been a lot more sigs, and maybe less thought into some of >> them. I agree completely. >> >> But the majority of the sigs that are questionable are in >> web_specific_apps, which is really what is intended to be in there. That >> ruleset is not meant to be run whole, just pick the apps you have an >> interest in. >> >> So I think the net effect of the sig contest is a definite increase in >> the quality and quantity overall. >> >> Plus it's a lot of good clean fun. :) >> >> Matt >> >> On 12/29/09 11:33 AM, evilghost at packetmail.net wrote: >>> I got nothing in the queue. I wouldn't sit on some signatures to win a >>> T-Shirt, that's certainly not my motivation for contributing to this >>> list. What is curious is the unintended consequences of a contest to >>> promote competition; we get dilution in the quality of the rules because >> >>> people want to pad their lead. It's almost like bottom posting... >>> >>> -evilghost >>> >>> Mike Cox wrote: >>>> Thanks, just hedging my lead. I still worry that evilghost might swoop >> in >>>> at the last minute with a bunch of saved up rules since he got robbed >> last >>>> month. There is at lot of low hanging fruit out there (XSS, ActiveX, >>>> Joomla, etc.) to keep more than one Kevin Ross busy :) >>>> >>>> -Mike Cox >>>> >>>> On Tue, Dec 29, 2009 at 10:16 AM, John Jacobs >> wrote: >>>> >>>> >>>>> Mike, thanks for this signature, the five people using this will >> surely be >>>>> happy. Looking at >> http://www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt >>>>> this is so trivial it has to be a joke. >>>>> >>>>> At least you're a shoo-in for a T-Shirt (perhaps at the detriment to >> the >>>>> quality of the rules). >>>>> >>>>> Cheers >>>>> -John >>>>> >>>>> ------------------------------ >>>>> Date: Tue, 29 Dec 2009 10:08:42 -0600 >>>>> From: mike.cox52 at gmail.com >>>>> To: Emerging-sigs at emergingthreats.net >>>>> Subject: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory >>>>> Traversal >>>>> >>>>> >>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >>>>> WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory >> Traversal >>>>> Attempt"; flow:to_server,established; content:"GET"; http_method; >>>>> uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; >> content:".."; >>>>> >> pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; >>>>> classtype:web-application-attack; reference:url, >>>>> www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; >>>>> sid:2010xxx; rev:1;) >>>>> >>>>> Thanks. >>>>> >>>>> -Mike Cox >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> >>>> >>>> >>>> >> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mike.cox52 at gmail.com Mon Jan 4 11:12:30 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Mon, 4 Jan 2010 10:12:30 -0600 Subject: [Emerging-Sigs] FakeAV Landing Page, updated In-Reply-To: <4B420CC6.3020301@packetmail.net> References: <4B420CC6.3020301@packetmail.net> Message-ID: <6116b9e21001040812r498037b8s4532a275cd445b8b@mail.gmail.com> Looks good but looking at the reference makes me think you left off something in the PCRE. Did you mean: pcre:"/[a-z]\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; classtype:trojan-activity; -Mike Cox On Mon, Jan 4, 2010 at 9:44 AM, evilghost at packetmail.net < evilghost at packetmail.net> wrote: > Seeing this new trend on FakeAV landing pages, suggest adding new > signature: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - > FakeAV Landing Page (aid,sid)"; content:"GET "; nocase; depth:4; > content:!"|0d 0a|Referer\: "; nocase; uricontent:".php?aid="; nocase; > uricontent:"&sid="; nocase; > pcre:"/[a-z]\.php\?aid=\d+&sid=[a-z0-9]$/Ui"; classtype:trojan-activity; > reference:url, > www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; > sid:2010xxx; rev:1;) > > > I'll take a better reference URL if someone has one, this signature is > from traffic observed on the wire. Note the lack of HTTP Referer. > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/27fb6352/attachment-0001.html From evilghost at packetmail.net Mon Jan 4 11:21:18 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 4 Jan 2010 10:21:18 -0600 Subject: [Emerging-Sigs] FakeAV Landing Page, updated In-Reply-To: <6116b9e21001040812r498037b8s4532a275cd445b8b@mail.gmail.com> References: <4B420CC6.3020301@packetmail.net> <6116b9e21001040812r498037b8s4532a275cd445b8b@mail.gmail.com> Message-ID: <4B42157E.60803@packetmail.net> I did. Monday + Everclear the night before. Thanks. PCRE should actually be: pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; classtype:trojan-activity; Mike Cox wrote: > Looks good but looking at the reference makes me think you left off > something in the PCRE. Did you mean: > > pcre:"/[a-z]\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; classtype:trojan-activity; > > -Mike Cox > > On Mon, Jan 4, 2010 at 9:44 AM, evilghost at packetmail.net < > evilghost at packetmail.net> wrote: > > >> Seeing this new trend on FakeAV landing pages, suggest adding new >> signature: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - >> FakeAV Landing Page (aid,sid)"; content:"GET "; nocase; depth:4; >> content:!"|0d 0a|Referer\: "; nocase; uricontent:".php?aid="; nocase; >> uricontent:"&sid="; nocase; >> pcre:"/[a-z]\.php\?aid=\d+&sid=[a-z0-9]$/Ui"; classtype:trojan-activity; >> reference:url, >> www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; >> sid:2010xxx; rev:1;) >> >> >> I'll take a better reference URL if someone has one, this signature is >> from traffic observed on the wire. Note the lack of HTTP Referer. >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > From jules at visionintel.com Mon Jan 4 11:22:30 2010 From: jules at visionintel.com (Jules Pagna Disso) Date: Mon, 4 Jan 2010 16:22:30 +0000 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B421249.1040002@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> Message-ID: <69544301001040822o3853017xbbefc21effa0c676@mail.gmail.com> hi Matt, Rating a signature would be tricky. As long as a signature does what it is supposed to do it is a good signature. I wont think that a signature is good because of its complexity. One way that I would think would be to rate signature by the number of time they hit on our network hence a central reporting server. Having a central reporting prelude or ... server could be good but will give away information that can be exploited by the bad guys. I dont think it's necessary to rate signature. Jules 2010/1/4 Matt Jonkman > Now that everyone's back in the office I wanted to bring this back up. > > 1. Do we have any volunteers wiling to sit on a panel to rate sigs and > their scores averaged > > 2. Is this worth doing? > > 3. What criteria should we use to rate? > > Hope everyone's holidays were good! > > Matt > > > On 12/29/09 2:23 PM, Matt Jonkman wrote: > > Hey David. I remember when you proposed this originally and I was > > thinking it might just be overkill for the contest then, but I didn't > > totally understand what you meant. I do now much more. So in the last 6 > > months of the sig contest I think we've learned: > > > > 1. Geeks will do anything for a tshirt! (we already knew that, but > > apparently endless hours of thankless research also are up for grabs) > > > > 2. I really like the ongoing recognition the leaderboard gives > > contributors. I know everyone's not in this for glory, but it makes me > > feel better to have that return available to contributors. Hopefully > > good numbers up there might help a person get a good job one day. > > > > 3. The contest inspired a lot of talk, thought, and innovation. It > > really spurred submissions, I could barely keep up some months! > > > > > > So the contest is valuable I think for a lot of reasons. We need to keep > > it, but I think your (David's) suggestion is a very good one to improve > > the contest. > > > > It would mean more work for me, which I'm more than willing to work > > hard, but I am approaching bandwidth saturation with ET, OISF (which > > we're releasing code in 2 days!!!), and the rest of life. And oh ya, > > making a living in there somewhere. :) And kids, I'm pretty sure I have > > kids around here somewhere... > > > > So let me suggest this: I keep putting up the sigs as we do now, they > > keep coming in the same way. But we set up a committee of 3 or 4 > > volunteers that score the submissions, either daily or weekly. > > > > We can discuss the exact algorithm later if the above suggestion is > > palatable. But that way I can keep the sigs flowing smoothly, and the > > signature contest can offer more reward based on innovation and speed of > > work. I do appreciate the sigs we've had to date, but this might > > encourage people to tackle the more difficult problems that might mean > > one sig, but a very high score, vs 20 joomla sigs. > > > > I'd also suggest that we move this to maybe a quarterly award, or at > > least every other month. If we have fewer awards, and since we're > > definitely seeing the value of the contest, I think I could poll some of > > our sponsors and companies that rely on the ruleset to chip in some more > > substantial prizes (yes I'll still keep getting the tshirts too though!). > > > > What does everyone think about that? The 2 suggestions: > > > > 1. A value based scoring system run by disinterested committee > > > > 2. Getting some sponsors to chip in substantial prizes > > > > Matt > > > > On 12/29/09 1:44 PM, David.R.Wharton at regions.com wrote: > >> Agreed that the contest has resulted in an increase in quantity but an > >> overall decrease in quality/usefulness (not that they are not useful, > just > >> not so much on average). That is why back in July I proposed a scoring > >> algorithm to encourage people to write rules for new vulnerabilities and > >> the latest malware. What are people's thoughts on this scoring method: > >> > >> 0day: 4 points > >> Within 24 hours of vulnerability disclosure: 3 points > >> Within a week of vulnerability disclosure: 2 points > >> Generic signature: 3 points > >> Malware: 2.5 x log(percentage of VirusTotal non-detections + 10) points > >> (log is base 10 and points round to the nearest integer) > >> Web app specific: always 1 point unless it is for "popular" software > >> (Apache, IIS, PHP, etc.) and in that case normal scoring rules apply. > The > >> definition of "popular" software is currently undefined. > >> Joomla or XSS: 0.25 points (just kidding) > >> > >> Of course, this would probably mean more work for Matt.... > >> > >> -David > >> > >> > >> > >> > >> From: > >> Matt Jonkman > >> To: > >> "evilghost at packetmail.net" > >> Cc: > >> "emerging-sigs at emergingthreats.net" > >> Date: > >> 12/29/2009 10:40 AM > >> Subject: > >> Re: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >> Sent by: > >> emerging-sigs-bounces at emergingthreats.net > >> > >> > >> > >> There have been a lot more sigs, and maybe less thought into some of > >> them. I agree completely. > >> > >> But the majority of the sigs that are questionable are in > >> web_specific_apps, which is really what is intended to be in there. That > >> ruleset is not meant to be run whole, just pick the apps you have an > >> interest in. > >> > >> So I think the net effect of the sig contest is a definite increase in > >> the quality and quantity overall. > >> > >> Plus it's a lot of good clean fun. :) > >> > >> Matt > >> > >> On 12/29/09 11:33 AM, evilghost at packetmail.net wrote: > >>> I got nothing in the queue. I wouldn't sit on some signatures to win a > >>> T-Shirt, that's certainly not my motivation for contributing to this > >>> list. What is curious is the unintended consequences of a contest to > >>> promote competition; we get dilution in the quality of the rules > because > >> > >>> people want to pad their lead. It's almost like bottom posting... > >>> > >>> -evilghost > >>> > >>> Mike Cox wrote: > >>>> Thanks, just hedging my lead. I still worry that evilghost might > swoop > >> in > >>>> at the last minute with a bunch of saved up rules since he got robbed > >> last > >>>> month. There is at lot of low hanging fruit out there (XSS, ActiveX, > >>>> Joomla, etc.) to keep more than one Kevin Ross busy :) > >>>> > >>>> -Mike Cox > >>>> > >>>> On Tue, Dec 29, 2009 at 10:16 AM, John Jacobs > >> wrote: > >>>> > >>>> > >>>>> Mike, thanks for this signature, the five people using this will > >> surely be > >>>>> happy. Looking at > >> http://www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt > >>>>> this is so trivial it has to be a joke. > >>>>> > >>>>> At least you're a shoo-in for a T-Shirt (perhaps at the detriment to > >> the > >>>>> quality of the rules). > >>>>> > >>>>> Cheers > >>>>> -John > >>>>> > >>>>> ------------------------------ > >>>>> Date: Tue, 29 Dec 2009 10:08:42 -0600 > >>>>> From: mike.cox52 at gmail.com > >>>>> To: Emerging-sigs at emergingthreats.net > >>>>> Subject: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter > Directory > >>>>> Traversal > >>>>> > >>>>> > >>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > >>>>> WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >>>>> Attempt"; flow:to_server,established; content:"GET"; http_method; > >>>>> uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; > >> content:".."; > >>>>> > >> > pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; > >>>>> classtype:web-application-attack; reference:url, > >>>>> www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; > >>>>> sid:2010xxx; rev:1;) > >>>>> > >>>>> Thanks. > >>>>> > >>>>> -Mike Cox > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Emerging-sigs mailing list > >>>>> Emerging-sigs at emergingthreats.net > >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >> ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/c9ccec3f/attachment.html From inurbitz at yahoo.com Mon Jan 4 11:43:24 2010 From: inurbitz at yahoo.com (Packet Hack) Date: Mon, 4 Jan 2010 08:43:24 -0800 (PST) Subject: [Emerging-Sigs] More FakeAV sigs Message-ID: <256986.67758.qm@web113718.mail.gq1.yahoo.com> Please double check, thanks. --pkthck -------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Download"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"dfghfghgfj.dll"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/deb549d2/attachment-0001.html From evilghost at packetmail.net Mon Jan 4 11:50:29 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 4 Jan 2010 10:50:29 -0600 Subject: [Emerging-Sigs] More FakeAV sigs In-Reply-To: <256986.67758.qm@web113718.mail.gq1.yahoo.com> References: <256986.67758.qm@web113718.mail.gq1.yahoo.com> Message-ID: <4B421C55.6040400@packetmail.net> Thanks for these. Thoughts on adding a PCRE to match against cast? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; pcre:"/loads\.php\?code=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code="; nocase; pcre:"/download\.pl\?code=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; pcre:"/get\.pl\?l=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) -evilghost Packet Hack wrote: > Please double check, thanks. > > --pkthck > > -------------------------------- > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Download"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"dfghfghgfj.dll"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From pppmarinho at gmail.com Mon Jan 4 12:24:13 2010 From: pppmarinho at gmail.com (Pedro Marinho) Date: Mon, 4 Jan 2010 15:24:13 -0200 Subject: [Emerging-Sigs] Suricata IDS Available for Download! (Matt Jonkman) Message-ID: Matt, Congratulations! i will test it of course !! happy new year sir !! Message: 1 > Date: Thu, 31 Dec 2009 15:11:21 -0500 > From: Matt Jonkman > Subject: [Emerging-Sigs] Suricata IDS Available for Download! > To: "emerging-sigs at emergingthreats.net" > , > discussion at openinfosecfoundation.org, > snort-users at lists.sourceforge.net, > snort-sigs at lists.sourceforge.net, > oisf-users at openinfosecfoundation.org > Message-ID: <4B3D0569.4020907 at jonkmans.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Full Announcement here: > http://www.openinfosecfoundation.org/ > > > It's been about three years in the making, but the day has finally come! > We have the first release of the Suricata Engine! The engine is an Open > Source Next Generation Intrusion Detection and Prevention Tool, not > intended to just replace or emulate the existing tools in the industry, > but to bring new ideas and technologies to the field. > > The Suricata Engine and the HTP Library are available to use under the > GPLv2. > > The HTP Library is an HTTP normalizer and parser written by Ivan Ristic > of Mod Security fame for the OISF. This integrates and provides very > advanced processing of HTTP streams for Suricata. The HTP library is > required by the engine, but may also be used independently in a range of > applications and tools. > > This is considered a Beta Release as we are seeking feedback from the > community. This release has many of the major new features we wanted to > add to the industry, but certainly not all. We intend to get this base > engine out and stable, and then continue to add new features. We expect > several new releases in the month of January culminating in a production > quality release shortly thereafter. > > The engine and the HTP Library are available here: > http://www.openinfosecfoundation.org/index.php/download-suricata > > Please join the oisf-users mailing list to discuss and share feedback. > The developers will be there ready to help you test. > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users > > > As this is a first release we don't really have a "what's New" section > because everything is new. But we do have a number of new ideas and new > concepts to Intrusion Detection to note. Some of those are listed below: > > > > Multi-Threading > Amazing that multi-threading is new to IDS, but it is, and we've got it! > > > Automatic Protocol Detection > The engine not only has keywords for IP, TCP, UDP and ICMP, but also has > HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match > within an HTTP stream for example regardless of the port the stream > occurs on. This is going to revolutionize malware detection and control. > Detections for more layer 7 protocols are on the way. > > > Gzip Decompression > The HTP Parser will decode Gzip compressed streams, allowing much more > detailed matching within the engine. > > > Independent HTP Library > The HTP Parser will be of great use to many other applications such as > proxies, filters, etc. The parser is available as a library also under > GPLv2 for easy integration ito other tools. > > > Standard Input Methods > You can use NFQueue, IPFRing, and the standard LibPcap to capture > traffic. IPFW support coming shortly. > > > Unified2 Output > You can use your standard output tools and methods with the new engine, > 100% compatible! > > > Flow Variables > It's possible to capture information out of a stream and save that in a > variable which can then be matched again later. > > > Fast IP Matching > The engine will automatically take rules that are IP matches only (such > as the RBN and compromised IP lists at Emerging Threats) and put them > into a special fast matching preprocessor. > > > HTTP Log Module > All HTTP requests can be automatically output into an apache-style log > format file. Very useful for monitoring and logging activity completely > independent of rulesets and matching. Should you need to do so you could > use the engine only as an HTTP logging sniffer. > > > > Coming Very Soon: (Within a few weeks) > > Global Flow Variables > The ability to store more information from a stream or match (actual > data, not just setting a bit), and storing that information for a period > of time. This will make comparing values across many streams and time > possible. > > > Graphics Card Acceleration > Using CUDA and OpenCL we will be able to make use of the massive > processing power of even old graphics cards to accelerate your IDS. > Offloading the very computationally intensive functions of the sensor > will greatly enhance performance. > > > IP Reputation > Hard to summarize in a sentence, but Reputation will allow sensors and > organizations to share intelligence and eliminate many false positives. > > > Windows Binaries > As soon as we have a reasonably stable body of code. > > > > The list could go on and on. Please take a few minutes to download the > engine and try it out and let us know what you think. We're not > comfortable calling it production ready at the moment until we get your > feedback, and we have a few features to complete. We really need your > feedback and input. We intend to put out a series of small releases in > the two to three weeks to come, and then a production ready major > release shortly thereafter. Phase two of our development plan will then > begin where we go after some major new features such as IP Reputation > shortly. > > http://www.openinfosecfoundation.org > > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/50377a98/attachment.html From emerging at emergingthreats.net Mon Jan 4 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 4 Jan 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100104210014.4CF844504E@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Jan 4 16:00:14 2010 [***] [+++] Added rules: [+++] 2010604 - ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt (emerging-web_specific_apps.rules) 2010605 - ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt (emerging-web_specific_apps.rules) 2010606 - ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt (emerging-web_specific_apps.rules) 2010607 - ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt (emerging-web_specific_apps.rules) 2010608 - ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt (emerging-web_specific_apps.rules) 2010609 - ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt (emerging-web_specific_apps.rules) 2010610 - ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt (emerging-web_specific_apps.rules) 2010611 - ET WEB_CLIENT HP Openview NNM ActiveX DisplayName method Memory corruption Attempt (emerging-web_client.rules) 2010612 - ET WEB_CLIENT HP Openview NNM ActiveX AddGroup method Memory corruption Attempt (emerging-web_client.rules) 2010613 - ET WEB_CLIENT HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt (emerging-web_client.rules) 2010614 - ET WEB_CLIENT HP Openview NNM ActiveX Subscribe method Memory corruption Attempt (emerging-web_client.rules) 2010615 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010616 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010617 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010618 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010619 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010620 - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) (emerging-web_server.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (18): 2010604 || ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_PozScripts || url,doc.emergingthreats.net/2010604 || url,www.securityfocus.com/bid/37541/info 2010605 || ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Mambo || url,doc.emergingthreats.net/2010605 || url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt 2010606 || ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010606 || url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt 2010607 || ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Xoops || url,doc.emergingthreats.net/2010607 || url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt 2010608 || ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_iPortal || url,doc.emergingthreats.net/2010608 || url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt 2010609 || ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Helpdesk_Pilot || url,doc.emergingthreats.net/2010609 || url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt 2010610 || ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_RoseOnline || url,doc.emergingthreats.net/2010610 || url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt 2010611 || ET WEB_CLIENT HP Openview NNM ActiveX DisplayName method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010611 || url,www.securityfocus.com/archive/1/507948 2010612 || ET WEB_CLIENT HP Openview NNM ActiveX AddGroup method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010612 || url,www.securityfocus.com/archive/1/507948 2010613 || ET WEB_CLIENT HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010613 || url,www.securityfocus.com/archive/1/507948 2010614 || ET WEB_CLIENT HP Openview NNM ActiveX Subscribe method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010614 || url,www.securityfocus.com/archive/1/507948 2010615 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010615 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010616 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010616 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010617 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010617 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010618 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010618 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010619 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010619 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010620 || ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010620 || url,www.exploit-db.com/exploits/10369 || url,xforce.iss.net/xforce/xfdb/54662 2010621 || ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) || url,www.Whitehatsecurityresponse.blogspot.com || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List || url,doc.emergingthreats.net/2009029 -> Added to emerging-sid-msg.map.txt (18): 2010604 || ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_PozScripts || url,doc.emergingthreats.net/2010604 || url,www.securityfocus.com/bid/37541/info 2010605 || ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Mambo || url,doc.emergingthreats.net/2010605 || url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt 2010606 || ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010606 || url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt 2010607 || ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Xoops || url,doc.emergingthreats.net/2010607 || url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt 2010608 || ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_iPortal || url,doc.emergingthreats.net/2010608 || url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt 2010609 || ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Helpdesk_Pilot || url,doc.emergingthreats.net/2010609 || url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt 2010610 || ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_RoseOnline || url,doc.emergingthreats.net/2010610 || url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt 2010611 || ET WEB_CLIENT HP Openview NNM ActiveX DisplayName method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010611 || url,www.securityfocus.com/archive/1/507948 2010612 || ET WEB_CLIENT HP Openview NNM ActiveX AddGroup method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010612 || url,www.securityfocus.com/archive/1/507948 2010613 || ET WEB_CLIENT HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010613 || url,www.securityfocus.com/archive/1/507948 2010614 || ET WEB_CLIENT HP Openview NNM ActiveX Subscribe method Memory corruption Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HP || url,doc.emergingthreats.net/2010614 || url,www.securityfocus.com/archive/1/507948 2010615 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010615 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010616 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010616 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010617 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010617 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010618 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010618 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010619 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_phpBMS || url,doc.emergingthreats.net/2010619 || url,xforce.iss.net/xforce/xfdb/51650 || url,osvdb.org/show/osvdb/59194 2010620 || ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010620 || url,www.exploit-db.com/exploits/10369 || url,xforce.iss.net/xforce/xfdb/54662 2010621 || ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) || url,www.Whitehatsecurityresponse.blogspot.com || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List || url,doc.emergingthreats.net/2009029 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (8): 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (8): 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From evilghost at packetmail.net Mon Jan 4 16:01:34 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Mon, 4 Jan 2010 15:01:34 -0600 Subject: [Emerging-Sigs] More FakeAV sigs In-Reply-To: <101642.93073.qm@web113704.mail.gq1.yahoo.com> References: <256986.67758.qm@web113718.mail.gq1.yahoo.com> <4B421C55.6040400@packetmail.net> <375968.28089.qm@web113703.mail.gq1.yahoo.com> <4B424128.3030902@packetmail.net> <101642.93073.qm@web113704.mail.gq1.yahoo.com> Message-ID: <4B42572E.8070700@packetmail.net> In my experience, I've seen fair amounts of consistency surrounding cast types and URI structures. With the same token I believe they would just as easily adjust the PHP file names/etc. That's my opinion but I'll defer to the collective wisdom of the list. I always prefer to be as precise as possible with regard to a variant versus the reduction of usefulness of a signature due to false positive potential. I'm good with whatever is decided upon, what we have here is collectively better than anything I've seen elsewhere including the AV snakeoil. - evilghost Packet Hack wrote: > I guess that's the thing -- there's no guarantee that the data after code= will always be integers, > and if they decide to change their code types we'd end up with false negatives. > > Looks like I forgot to cc: the list on my last reply -- do you mind if I send it to the list? > > Jim > > > > > ________________________________ > From: "evilghost at packetmail.net" > To: Packet Hack > Sent: Mon, January 4, 2010 2:27:36 PM > Subject: Re: [Emerging-Sigs] More FakeAV sigs > > I meant anchoring the integers at the end of the URI. The sigs you > wrote are very good but I tend to like to anchor cast (ie, all integers) > to avoid false positives. For example, "loads.php?code=newpage" won't > match the PCRE but does match the URI content match. > "loads.php?code=12345" would match the PCRE since the content is of type > integer. Make sense? The PCRE won't fire unless the uricontent match > succeeds. > > These are good sigs even without the PCRE, I just like to be precise as > possible and as reasonable to avoid false positives. The list may feel > differently and not like the PCRE. > > -evilghost > > Packet Hack wrote: > >> Not sure what you mean by match against cast. I'm kinda new to writing sigs, >> so I'm not sure what the pros are for adding the pcre. I imagine one minus is >> a performance hit, but there may be others. >> >> When I'm thinking about these I try to keep in mind the things that might change >> over time and leave them out if possible, otherwise I'd also be adding the hostnames >> for these sigs. >> >> What do you think? >> --pkthck >> >> >> >> >> ________________________________ >> From: "evilghost at packetmail.net" >> Cc: "emerging-sigs at emergingthreats.net" >> Sent: Mon, January 4, 2010 11:50:29 AM >> Subject: Re: [Emerging-Sigs] More FakeAV sigs >> >> Thanks for these. Thoughts on adding a PCRE to match against cast? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; pcre:"/loads\.php\?code=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code="; nocase; pcre:"/download\.pl\?code=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; pcre:"/get\.pl\?l=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> -evilghost >> >> Packet Hack wrote: >> >> >>> Please double check, thanks. >>> >>> --pkthck >>> >>> -------------------------------- >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Download"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"dfghfghgfj.dll"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> >> >> > > > > > From kevross33 at googlemail.com Mon Jan 4 16:44:43 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 4 Jan 2010 21:44:43 +0000 Subject: [Emerging-Sigs] unescaped : in sid 2010621 (SQL Injection Attempt (Agent CZ32ts) Message-ID: Here is the original sig, the : after agent isn't escaped. I haven't had a chance to run it though within snort to see if it errors though. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent: CZ32ts|0d 0a|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:2010621; rev:2;) corrected sig: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent|3A| CZ32ts|0d 0a|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:2010621; rev:3;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/052505c2/attachment.html From kevross33 at googlemail.com Mon Jan 4 16:52:58 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Mon, 4 Jan 2010 21:52:58 +0000 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B421249.1040002@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> Message-ID: Not so much for the competition but if we could go through the rulesets looking for errors, performance improvements or sigs to possibly disable or retire if they are not relevant anymore. I was doing it for a while and found pcre being applied to all incoming user-agents, pcre for multiple clsids where the content match isn't looking for the actual clsid, just a pcre looking for 10 of them. Not that any of the sigs were wrong, they did what they are supposed do, just small improvements for efficiency. I am aware that some of my sigs in the emerging-scan category can be improved upon too as they were when I was first learning and that is something I will be getting around to. They work, just need improved for performance. 2010/1/4 Matt Jonkman > Now that everyone's back in the office I wanted to bring this back up. > > 1. Do we have any volunteers wiling to sit on a panel to rate sigs and > their scores averaged > > 2. Is this worth doing? > > 3. What criteria should we use to rate? > > Hope everyone's holidays were good! > > Matt > > > On 12/29/09 2:23 PM, Matt Jonkman wrote: > > Hey David. I remember when you proposed this originally and I was > > thinking it might just be overkill for the contest then, but I didn't > > totally understand what you meant. I do now much more. So in the last 6 > > months of the sig contest I think we've learned: > > > > 1. Geeks will do anything for a tshirt! (we already knew that, but > > apparently endless hours of thankless research also are up for grabs) > > > > 2. I really like the ongoing recognition the leaderboard gives > > contributors. I know everyone's not in this for glory, but it makes me > > feel better to have that return available to contributors. Hopefully > > good numbers up there might help a person get a good job one day. > > > > 3. The contest inspired a lot of talk, thought, and innovation. It > > really spurred submissions, I could barely keep up some months! > > > > > > So the contest is valuable I think for a lot of reasons. We need to keep > > it, but I think your (David's) suggestion is a very good one to improve > > the contest. > > > > It would mean more work for me, which I'm more than willing to work > > hard, but I am approaching bandwidth saturation with ET, OISF (which > > we're releasing code in 2 days!!!), and the rest of life. And oh ya, > > making a living in there somewhere. :) And kids, I'm pretty sure I have > > kids around here somewhere... > > > > So let me suggest this: I keep putting up the sigs as we do now, they > > keep coming in the same way. But we set up a committee of 3 or 4 > > volunteers that score the submissions, either daily or weekly. > > > > We can discuss the exact algorithm later if the above suggestion is > > palatable. But that way I can keep the sigs flowing smoothly, and the > > signature contest can offer more reward based on innovation and speed of > > work. I do appreciate the sigs we've had to date, but this might > > encourage people to tackle the more difficult problems that might mean > > one sig, but a very high score, vs 20 joomla sigs. > > > > I'd also suggest that we move this to maybe a quarterly award, or at > > least every other month. If we have fewer awards, and since we're > > definitely seeing the value of the contest, I think I could poll some of > > our sponsors and companies that rely on the ruleset to chip in some more > > substantial prizes (yes I'll still keep getting the tshirts too though!). > > > > What does everyone think about that? The 2 suggestions: > > > > 1. A value based scoring system run by disinterested committee > > > > 2. Getting some sponsors to chip in substantial prizes > > > > Matt > > > > On 12/29/09 1:44 PM, David.R.Wharton at regions.com wrote: > >> Agreed that the contest has resulted in an increase in quantity but an > >> overall decrease in quality/usefulness (not that they are not useful, > just > >> not so much on average). That is why back in July I proposed a scoring > >> algorithm to encourage people to write rules for new vulnerabilities and > >> the latest malware. What are people's thoughts on this scoring method: > >> > >> 0day: 4 points > >> Within 24 hours of vulnerability disclosure: 3 points > >> Within a week of vulnerability disclosure: 2 points > >> Generic signature: 3 points > >> Malware: 2.5 x log(percentage of VirusTotal non-detections + 10) points > >> (log is base 10 and points round to the nearest integer) > >> Web app specific: always 1 point unless it is for "popular" software > >> (Apache, IIS, PHP, etc.) and in that case normal scoring rules apply. > The > >> definition of "popular" software is currently undefined. > >> Joomla or XSS: 0.25 points (just kidding) > >> > >> Of course, this would probably mean more work for Matt.... > >> > >> -David > >> > >> > >> > >> > >> From: > >> Matt Jonkman > >> To: > >> "evilghost at packetmail.net" > >> Cc: > >> "emerging-sigs at emergingthreats.net" > >> Date: > >> 12/29/2009 10:40 AM > >> Subject: > >> Re: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >> Sent by: > >> emerging-sigs-bounces at emergingthreats.net > >> > >> > >> > >> There have been a lot more sigs, and maybe less thought into some of > >> them. I agree completely. > >> > >> But the majority of the sigs that are questionable are in > >> web_specific_apps, which is really what is intended to be in there. That > >> ruleset is not meant to be run whole, just pick the apps you have an > >> interest in. > >> > >> So I think the net effect of the sig contest is a definite increase in > >> the quality and quantity overall. > >> > >> Plus it's a lot of good clean fun. :) > >> > >> Matt > >> > >> On 12/29/09 11:33 AM, evilghost at packetmail.net wrote: > >>> I got nothing in the queue. I wouldn't sit on some signatures to win a > >>> T-Shirt, that's certainly not my motivation for contributing to this > >>> list. What is curious is the unintended consequences of a contest to > >>> promote competition; we get dilution in the quality of the rules > because > >> > >>> people want to pad their lead. It's almost like bottom posting... > >>> > >>> -evilghost > >>> > >>> Mike Cox wrote: > >>>> Thanks, just hedging my lead. I still worry that evilghost might > swoop > >> in > >>>> at the last minute with a bunch of saved up rules since he got robbed > >> last > >>>> month. There is at lot of low hanging fruit out there (XSS, ActiveX, > >>>> Joomla, etc.) to keep more than one Kevin Ross busy :) > >>>> > >>>> -Mike Cox > >>>> > >>>> On Tue, Dec 29, 2009 at 10:16 AM, John Jacobs > >> wrote: > >>>> > >>>> > >>>>> Mike, thanks for this signature, the five people using this will > >> surely be > >>>>> happy. Looking at > >> http://www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt > >>>>> this is so trivial it has to be a joke. > >>>>> > >>>>> At least you're a shoo-in for a T-Shirt (perhaps at the detriment to > >> the > >>>>> quality of the rules). > >>>>> > >>>>> Cheers > >>>>> -John > >>>>> > >>>>> ------------------------------ > >>>>> Date: Tue, 29 Dec 2009 10:08:42 -0600 > >>>>> From: mike.cox52 at gmail.com > >>>>> To: Emerging-sigs at emergingthreats.net > >>>>> Subject: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter > Directory > >>>>> Traversal > >>>>> > >>>>> > >>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > >>>>> WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >>>>> Attempt"; flow:to_server,established; content:"GET"; http_method; > >>>>> uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; > >> content:".."; > >>>>> > >> > pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; > >>>>> classtype:web-application-attack; reference:url, > >>>>> www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; > >>>>> sid:2010xxx; rev:1;) > >>>>> > >>>>> Thanks. > >>>>> > >>>>> -Mike Cox > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Emerging-sigs mailing list > >>>>> Emerging-sigs at emergingthreats.net > >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >> ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100104/cc3d8afe/attachment-0001.html From jonkman at jonkmans.com Mon Jan 4 18:47:59 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Jan 2010 18:47:59 -0500 Subject: [Emerging-Sigs] unescaped : in sid 2010621 (SQL Injection Attempt (Agent CZ32ts) In-Reply-To: References: Message-ID: <4B427E2F.6080101@jonkmans.com> My mistake, thanks Kevin! Matt On 1/4/10 4:44 PM, Kevin Ross wrote: > Here is the original sig, the : after agent isn't escaped. I haven't had > a chance to run it though within snort to see if it errors though. > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER > SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; > content:"|0d 0a|User-Agent: CZ32ts|0d 0a|"; nocase; > classtype:web-application-attack; > reference:url,doc.emergingthreats.net/2009029 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List > ; > reference:url,www.Whitehatsecurityresponse.blogspot.com > ; sid:2010621; rev:2;) > > corrected sig: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER > SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; > content:"|0d 0a|User-Agent|3A| CZ32ts|0d 0a|"; nocase; > classtype:web-application-attack; > reference:url,doc.emergingthreats.net/2009029 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List > ; > reference:url,www.Whitehatsecurityresponse.blogspot.com > ; sid:2010621; rev:3;) > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From richrumble at gmail.com Mon Jan 4 23:01:02 2010 From: richrumble at gmail.com (Rich Rumble) Date: Mon, 4 Jan 2010 23:01:02 -0500 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> Message-ID: On Mon, Jan 4, 2010 at 4:52 PM, Kevin Ross wrote: > Not so much for the competition but if we could go through the rulesets > looking for errors, performance improvements or sigs to possibly disable or > retire if they are not relevant anymore. Hear, hear! > ?I am aware that some of my sigs in the emerging-scan category can be > improved upon too as they were when I was first learning and that is > something I will be getting around to. They work, just need improved for > performance. I have a question, how are we to balance snort sigs and suricata sigs? I've not seen anything to tell me the two are different, but I'd assume with protocol detection that perhaps we don't need to include port numbers in a suri sig where we still do in a snort sig? I know it's brand new, but I've not seen a doc yet on writing effective suri rules, and perhaps that will come along in the next update. Will there be a need for separate lists for snort/suricata? Something I've always needed help with is how to write a better sig, and I think there are some sig *stars* on the list that do great work and help others whenever possible, I wish there were more, I wish I were one of them :) I'll keep reading SnortSigs101 and try to get myself in the running for the monthly sig contest. (I think just I've made a new years resolution... even though I've oximoronically made it my new years resolution to not make new years resolutions... hmm) From mail at mare-system.de Tue Jan 5 04:20:32 2010 From: mail at mare-system.de (mex) Date: Tue, 05 Jan 2010 10:20:32 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs Message-ID: <4B430460.3040302@mare-system.de> i played with the sshbl-list from http://www.sshbl.org and wrote a parser that creates snortsigs out of that; the result (updated every 12 hours) is available at http://dogtown.mare-system.de/download/SSHBlacklist-DROP.rules the parser takes the latest 300 IPs (that **SHALL* contain roughly the blocked IPs from that last 30 days, as recommended on the website) the sigs are build as follows: alert tcp 200.229.144.70 any -> $HOME_NET $SSH_PORTS (msg:"SSHBL-Connection Attempt"; flow:to_server,established; content:"|15 00 00 00 00 |"; depth:10; classtype:attempted-user; reference:url,www.sshbl.org/; sid:40400001; rev:2;) unfortunately i have no chance to check the sigs against any ssh-server out there (just linux and ye ol' SunOS - servers) so i match against what wireshark told me was the client-request for new keys, indicated by |15 ...| and trailing 00 00 00, but i'm not an ssh-guru, so maybe someone could advise me how to detect an ssh-connection-attempt. until now the sigs are working quite ok, i checked it with a known ip and got no fps during a whole ssh-session. i think the sigs might be usefull for hosting and people running public accessible servers. next step is to integrate fwsam (not yet tested) to build a DROP-ruleset. i'd appreciate any comments, improvements and testdrives. mex From kevross33 at googlemail.com Tue Jan 5 06:48:59 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 5 Jan 2010 11:48:59 +0000 Subject: [Emerging-Sigs] 2 Sigs: Cisco WLAN Controller DOS & Wapiti HTTP Server Scanner Message-ID: Both of these have been tested and are working in detecting what they are supposed to. The wapiti one replaces the previous sig I wrote ages ago for this when I was learning. The WLC sig was checked also against this metasploit module to ensure it was accurate and detected the vulnerability http://downloads.securityfocus.com/vulnerabilities/exploits/35805.rb Happy New Year Everyone, Kev alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A 20|Basic"; nocase; within:60; isdataat:70,relative; classtype:attempted-dos; reference:url, www.securityfocus.com/bid/35805; reference:url, www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; sid:19000001; rev:1;) # This replaces my early (poor) attempt at a sig with sid 2008417 in emerging-scan alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; classtype:attempted-recon; reference:url,wapiti.sourceforge.net/; sid:1900002; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/fd496a4f/attachment.html From frank at knobbe.us Tue Jan 5 09:14:54 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 05 Jan 2010 08:14:54 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B430460.3040302@mare-system.de> References: <4B430460.3040302@mare-system.de> Message-ID: <1262700894.26549.6.camel@localhost> On Tue, 2010-01-05 at 10:20 +0100, mex wrote: > the parser takes the latest 300 IPs (that **SHALL* contain > roughly the blocked IPs from that last 30 days, as recommended > on the website) Why would you want to "detect" something that is already known? (Likewise, I don't like the other IP-based EmergingThreats sigs, it's not just your idea I have a problem with) > next step is to integrate fwsam (not yet tested) to build a DROP-ruleset. There is no need to involve Snort. If you have a list of hostile IP addresses, block them on your firewall. No sense in also involving Snort, or getting alerts on IP's you expect to get alerts from. We got tons more SSH scanning IP's in our database. Would you like these too? You can create a couple thousand SSH rules if you like. Maybe then it will become apparent that it is useless of alerting on IP's you know will likely attack you. Just block'em and be done with it :) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/0db3d7fb/attachment.bin From kevross33 at googlemail.com Tue Jan 5 09:15:44 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 5 Jan 2010 14:15:44 +0000 Subject: [Emerging-Sigs] 4 More Cisco Sigs Message-ID: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; flow:to_server; content:"GET /ping"; nocase; depth:9; pcre:"/\x2Fping.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url, www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml; reference:cve,2008-3821; sid:1900003; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; uricontent:"/servlet/JavascriptProbe"; nocase; nocase; uricontent:"documentElement=true"; nocase; uricontent:"regexp=true"; nocase; uricontent:"frames=true"; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/34454/info; sid:1900004; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url, articles.techrepublic.com.com/5100-10878_11-6039967.html; sid:1900005; rev:1;) # I think this should provide some coverage though it is based on POC alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; classtype:attempted-dos; reference:url, www.securityfocus.com/bid/34429/info; reference:url, www.securityfocus.com/bid/34429/exploit; reference:url, www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; sid:1900006; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/dec61f69/attachment.html From jonkman at jonkmans.com Tue Jan 5 09:38:53 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 09:38:53 -0500 Subject: [Emerging-Sigs] 4 More Cisco Sigs In-Reply-To: References: Message-ID: <4B434EFD.20305@jonkmans.com> Posting the last 3, but on the first is there some uri or content match we can add before we go to pcre? /ping may be too common to pcre every one... Others are great, thanks Kevin! Matt On 1/5/10 9:15 AM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER > Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; > flow:to_server; content:"GET /ping"; nocase; depth:9; > pcre:"/\x2Fping.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; > classtype:web-application-attack; > reference:url,www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml > ; > reference:cve,2008-3821; sid:1900003; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER > Possible Cisco Subscriber Edge Services Manager Cross Site > Scripting/HTML Injection Attempt"; flow:to_server,established; > uricontent:"/servlet/JavascriptProbe"; nocase; nocase; > uricontent:"documentElement=true"; nocase; uricontent:"regexp=true"; > nocase; uricontent:"frames=true"; classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/34454/info > ; sid:1900004; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER > Cisco IOS HTTP Server Exec Command Execution Attempt"; > flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; > pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; > classtype:web-application-attack; > reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html > ; > sid:1900005; rev:1;) > > # I think this should provide some coverage though it is based on POC > alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET > DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created > Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; > content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 > 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; > threshold: type threshold, track by_src, count 60, seconds 80; > classtype:attempted-dos; > reference:url,www.securityfocus.com/bid/34429/info > ; > reference:url,www.securityfocus.com/bid/34429/exploit > ; > reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html > ; > reference:cve,2009-1157; sid:1900006; rev:1;) > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Tue Jan 5 09:50:21 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 5 Jan 2010 14:50:21 +0000 Subject: [Emerging-Sigs] 1 more Cisco Sig (BGP Dos) Message-ID: Simple sig for a simple vulnerability (basically kill the device with a regexp :) Did you get the new Wapiti sig and Cisco Lan Controller DOS sigs matt? Kev alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; flow:to_server,established; content:"show ip bgp regexp"; depth:60; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/25352/info; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml; sid:190000009; rev:1;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/c4fad461/attachment.html From jonkman at jonkmans.com Tue Jan 5 10:01:23 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 10:01:23 -0500 Subject: [Emerging-Sigs] 1 more Cisco Sig (BGP Dos) In-Reply-To: References: Message-ID: <4B435443.2090201@jonkmans.com> We need a way to look for a complex regex. This will hit on a legitimate regex. I don't see how we can do that though without making our own dos regex... Any ideas? Matt On 1/5/10 9:50 AM, Kevin Ross wrote: > Simple sig for a simple vulnerability (basically kill the device with a > regexp :) Did you get the new Wapiti sig and Cisco Lan Controller DOS > sigs matt? > > Kev > > alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco > IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; > flow:to_server,established; content:"show ip bgp regexp"; depth:60; > classtype:attempted-dos; > reference:url,www.securityfocus.com/bid/25352/info > ; > reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml > ; > sid:190000009; rev:1;) > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Tue Jan 5 10:24:12 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 5 Jan 2010 15:24:12 +0000 Subject: [Emerging-Sigs] sig repost (Cisco WLAN sig and Wapiti) Message-ID: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A 20|Basic"; nocase; within:60; isdataat:70,relative; classtype:attempted-dos; reference:url, www.securityfocus.com/bid/35805; reference:url, www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; sid:19000001; rev:1;) # This replaces my early (poor) attempt at a sig with sid 2008417 in emerging-scan alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; classtype:attempted-recon; reference:url,wapiti.sourceforge.net/; sid:1900002; rev:1;) Both tested and working against exploit attemps/scans (former tested with metasploit module), Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/87500d3a/attachment.html From evilghost at packetmail.net Tue Jan 5 10:32:50 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 5 Jan 2010 09:32:50 -0600 Subject: [Emerging-Sigs] 1 more Cisco Sig (BGP Dos) In-Reply-To: <4B435443.2090201@jonkmans.com> References: <4B435443.2090201@jonkmans.com> Message-ID: <4B435BA2.1010704@packetmail.net> Matt, it looks like this is the trigger, the recursion in (_\1)+ Thoughts on below? alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; flow:to_server,established; content:"show ip bgp regexp"; depth:60; content:"|28 5F 5C 31 29 2B|"; distance:0; within:100; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/25352/info ; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml ; sid:190000009; rev:1;) Matt Jonkman wrote: > We need a way to look for a complex regex. This will hit on a legitimate > regex. > > I don't see how we can do that though without making our own dos regex... > > Any ideas? > > Matt > > On 1/5/10 9:50 AM, Kevin Ross wrote: > >> Simple sig for a simple vulnerability (basically kill the device with a >> regexp :) Did you get the new Wapiti sig and Cisco Lan Controller DOS >> sigs matt? >> >> Kev >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco >> IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; >> flow:to_server,established; content:"show ip bgp regexp"; depth:60; >> classtype:attempted-dos; >> reference:url,www.securityfocus.com/bid/25352/info >> ; >> reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml >> ; >> sid:190000009; rev:1;) >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From jonkman at jonkmans.com Tue Jan 5 12:23:52 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 12:23:52 -0500 Subject: [Emerging-Sigs] 1 more Cisco Sig (BGP Dos) In-Reply-To: <4B435BA2.1010704@packetmail.net> References: <4B435443.2090201@jonkmans.com> <4B435BA2.1010704@packetmail.net> Message-ID: <4B4375A8.8000106@jonkmans.com> Better sig, but I'm afraid you can cause that same recursion with a lot of other strings. Like "test.*(_\1)+", etc. Seeing as this is an authentication required vuln, I wonder if it's worth the load risk? Thoughts? Matt On 1/5/10 10:32 AM, evilghost at packetmail.net wrote: > Matt, it looks like this is the trigger, the recursion in (_\1)+ > > Thoughts on below? > > alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco > IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; > flow:to_server,established; content:"show ip bgp regexp"; depth:60; > content:"|28 5F 5C 31 29 2B|"; distance:0; within:100; > classtype:attempted-dos; > reference:url,www.securityfocus.com/bid/25352/info > ; > reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml > ; > sid:190000009; rev:1;) > > > > Matt Jonkman wrote: >> We need a way to look for a complex regex. This will hit on a legitimate >> regex. >> >> I don't see how we can do that though without making our own dos regex... >> >> Any ideas? >> >> Matt >> >> On 1/5/10 9:50 AM, Kevin Ross wrote: >> >>> Simple sig for a simple vulnerability (basically kill the device with a >>> regexp :) Did you get the new Wapiti sig and Cisco Lan Controller DOS >>> sigs matt? >>> >>> Kev >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco >>> IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; >>> flow:to_server,established; content:"show ip bgp regexp"; depth:60; >>> classtype:attempted-dos; >>> reference:url,www.securityfocus.com/bid/25352/info >>> ; >>> reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml >>> ; >>> sid:190000009; rev:1;) >>> >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Jan 5 12:32:46 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 12:32:46 -0500 Subject: [Emerging-Sigs] sig repost (Cisco WLAN sig and Wapiti) In-Reply-To: References: Message-ID: <4B4377BE.9070908@jonkmans.com> Hmmm, on the first one, this could hit on normal traffic unrelated. Nothing to tie it specifically to a cisco attack. I don't see anything in the vuln report to make this better. Unfortunately. The second one is good though, I think that'll fly. Thanks Kevin! Matt On 1/5/10 10:24 AM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco > 4200 Wireless Lan Controller Long Authorisation Denial of Service > Attempt"; flow:to_server,established; content:"GET > /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A > 20|Basic"; nocase; within:60; isdataat:70,relative; > classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805 > ; > reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml > ; > reference:cve,2009-1164; sid:19000001; rev:1;) > > # This replaces my early (poor) attempt at a sig with sid 2008417 in > emerging-scan > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > Wapiti Web Server Vulnerability Scan"; flow:to_server,established; > content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; > nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; > classtype:attempted-recon; reference:url,wapiti.sourceforge.net/ > ; sid:1900002; rev:1;) > > Both tested and working against exploit attemps/scans (former tested > with metasploit module), > Kev > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mail at mare-system.de Tue Jan 5 12:36:57 2010 From: mail at mare-system.de (mex) Date: Tue, 05 Jan 2010 18:36:57 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262700894.26549.6.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> Message-ID: <4B4378B9.2060808@mare-system.de> > There is no need to involve Snort. If you have a list of hostile IP > addresses, block them on your firewall. No sense in also involving > Snort, or getting alerts on IP's you expect to get alerts from. i know setups where firewallrules are maintained only manually, never automated, and since, comparing to snort, it's not so easy to test generated firewallscript like a simple snort -T it's not always clever to deploy firewallrules via automation that could break the setup. furthermore, why should one block an ip just because it's on a list from the internet? and i like the fwsam-option to block an ip for a certain amount of time, instead reloading my firewallrules every day tl;dr: it's easier to maintain temporary ip-blocks using snort, but it depends on the setup. regards, mex From jonkman at jonkmans.com Tue Jan 5 12:39:16 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 12:39:16 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B4378B9.2060808@mare-system.de> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B4378B9.2060808@mare-system.de> Message-ID: <4B437944.1040300@jonkmans.com> Well put I think. The crux of the argument, it all depends on your setup. Some folks can't put in large block lists on perimeter devices, some don't have devices that can hack it. Some can. So we will do our best to offer both methods. Matt On 1/5/10 12:36 PM, mex wrote: > > >> There is no need to involve Snort. If you have a list of hostile IP >> addresses, block them on your firewall. No sense in also involving >> Snort, or getting alerts on IP's you expect to get alerts from. > > i know setups where firewallrules are maintained only manually, > never automated, and since, comparing to snort, it's not so easy to > test generated firewallscript like a simple snort -T it's not > always clever to deploy firewallrules via automation that > could break the setup. > > furthermore, why should one block an ip just because it's on a > list from the internet? and i like the fwsam-option to block > an ip for a certain amount of time, instead reloading my > firewallrules every day > > > > tl;dr: it's easier to maintain temporary ip-blocks using snort, > but it depends on the setup. > > > > > > > regards, > > mex > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Tue Jan 5 12:43:34 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 05 Jan 2010 11:43:34 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B4378B9.2060808@mare-system.de> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B4378B9.2060808@mare-system.de> Message-ID: <1262713414.26549.44.camel@localhost> On Tue, 2010-01-05 at 18:36 +0100, mex wrote: > i know setups where firewallrules are maintained only manually, > never automated, So use the list. Do you really need to wait before a listed IP address actually hits your sensor? > furthermore, why should one block an ip just because it's on a > list from the internet? Why create rules just because it's on a list from the Internet? > and i like the fwsam-option to block > an ip for a certain amount of time, instead reloading my > firewallrules every day You can use samtool to feed a list into your firewall (just like Snort would do) and block for a period of time (Snortsam will expire the blocks for you, keeping the firewall clean). I still don't see the use for having a list of *known hostile IP's* in Snort so that you can get alerts on them. If they do something nasty (say, SSH scan) you will get alerts regardless of the IP rule! Such list if useful for the new reputation engine in the new OISF IDS. But only to qualify alerts, not to generate them. Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/02636493/attachment.bin From evilghost at packetmail.net Tue Jan 5 12:47:21 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 5 Jan 2010 11:47:21 -0600 Subject: [Emerging-Sigs] 1 more Cisco Sig (BGP Dos) In-Reply-To: <4B4375A8.8000106@jonkmans.com> References: <4B435443.2090201@jonkmans.com> <4B435BA2.1010704@packetmail.net> <4B4375A8.8000106@jonkmans.com> Message-ID: <4B437B29.4040009@packetmail.net> IMHO not worth it since it's authenticated. Matt, "test.*(_\1)+" should match the content match. Matt Jonkman wrote: > Better sig, but I'm afraid you can cause that same recursion with a lot > of other strings. Like "test.*(_\1)+", etc. > > Seeing as this is an authentication required vuln, I wonder if it's > worth the load risk? > > Thoughts? > > Matt > > On 1/5/10 10:32 AM, evilghost at packetmail.net wrote: > >> Matt, it looks like this is the trigger, the recursion in (_\1)+ >> >> Thoughts on below? >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco >> IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; >> flow:to_server,established; content:"show ip bgp regexp"; depth:60; >> content:"|28 5F 5C 31 29 2B|"; distance:0; within:100; >> classtype:attempted-dos; >> reference:url,www.securityfocus.com/bid/25352/info >> ; >> reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml >> ; >> sid:190000009; rev:1;) >> >> >> >> Matt Jonkman wrote: >> >>> We need a way to look for a complex regex. This will hit on a legitimate >>> regex. >>> >>> I don't see how we can do that though without making our own dos regex... >>> >>> Any ideas? >>> >>> Matt >>> >>> On 1/5/10 9:50 AM, Kevin Ross wrote: >>> >>> >>>> Simple sig for a simple vulnerability (basically kill the device with a >>>> regexp :) Did you get the new Wapiti sig and Cisco Lan Controller DOS >>>> sigs matt? >>>> >>>> Kev >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Possible Cisco >>>> IOS Show IP BGP Regexp Commmand Remote Denial of Service Attempt"; >>>> flow:to_server,established; content:"show ip bgp regexp"; depth:60; >>>> classtype:attempted-dos; >>>> reference:url,www.securityfocus.com/bid/25352/info >>>> ; >>>> reference:url,www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml >>>> ; >>>> sid:190000009; rev:1;) >>>> >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From jonkman at jonkmans.com Tue Jan 5 12:53:49 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 12:53:49 -0500 Subject: [Emerging-Sigs] FakeAV Landing Page, updated In-Reply-To: <4B42157E.60803@packetmail.net> References: <4B420CC6.3020301@packetmail.net> <6116b9e21001040812r498037b8s4532a275cd445b8b@mail.gmail.com> <4B42157E.60803@packetmail.net> Message-ID: <4B437CAD.3070803@jonkmans.com> Posted, sorry for the delay. We need to watch this one for FPs, some ad posts can look similar. Matt On 1/4/10 11:21 AM, evilghost at packetmail.net wrote: > pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; classtype:trojan-activity; -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Tue Jan 5 14:26:49 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Tue, 5 Jan 2010 19:26:49 +0000 Subject: [Emerging-Sigs] sig repost (Cisco WLAN sig and Wapiti) In-Reply-To: <4B4377BE.9070908@jonkmans.com> References: <4B4377BE.9070908@jonkmans.com> Message-ID: is /screens/frameset.html common for authorisation? I didn't know that 2010/1/5 Matt Jonkman > Hmmm, on the first one, this could hit on normal traffic unrelated. > Nothing to tie it specifically to a cisco attack. I don't see anything > in the vuln report to make this better. Unfortunately. > > The second one is good though, I think that'll fly. > > Thanks Kevin! > > Matt > > On 1/5/10 10:24 AM, Kevin Ross wrote: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco > > 4200 Wireless Lan Controller Long Authorisation Denial of Service > > Attempt"; flow:to_server,established; content:"GET > > /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A > > 20|Basic"; nocase; within:60; isdataat:70,relative; > > classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805 > > ; > > reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml > > ; > > reference:cve,2009-1164; sid:19000001; rev:1;) > > > > # This replaces my early (poor) attempt at a sig with sid 2008417 in > > emerging-scan > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > > Wapiti Web Server Vulnerability Scan"; flow:to_server,established; > > content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; > > nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; > > classtype:attempted-recon; reference:url,wapiti.sourceforge.net/ > > ; sid:1900002; rev:1;) > > > > Both tested and working against exploit attemps/scans (former tested > > with metasploit module), > > Kev > > > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/54b3e8b1/attachment-0001.html From mike.cox52 at gmail.com Tue Jan 5 14:43:02 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Tue, 5 Jan 2010 13:43:02 -0600 Subject: [Emerging-Sigs] ET EXPLOIT IE IFRAME Exploit -- SID 2001401 Message-ID: <6116b9e21001051143u223d20a7id3798b2373bba100@mail.gmail.com> Concerning "ET EXPLOIT IE IFRAME Exploit" -- SID 2001401 rule in emerging-exploit.rules -- I seeing this rule eat a lot of CPU cycles and thought maybe we cold improve it or retire it (it is from 2004). Here it is currently: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT IE IFRAME Exploit"; flow: from_server,established; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001401; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001401; rev:16;) Since it is just PCRE matches, it is obvious why it performs poorly. Would it be worthwhile to split it up (EMBED, FRAME, SRC) and use modifiers like 'isdataat'? -Mike Cox -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/a31c2130/attachment.html From emerging at emergingthreats.net Tue Jan 5 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 5 Jan 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100105210013.40EA245050@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Jan 5 16:00:13 2010 [***] [+++] Added rules: [+++] 2010622 - ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt (emerging-web_server.rules) 2010623 - ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt (emerging-web_server.rules) 2010624 - ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets) (emerging-current_events.rules) 2010625 - ET TROJAN FakeAV Landing Page (aid,sid) (emerging-virus.rules) [+++] Enabled and modified rules: [+++] 2008417 - ET SCAN Wapiti Web Server Vulnerability Scan (emerging-scan.rules) [///] Modified active rules: [///] 2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) (emerging-web_server.rules) 2406000 - ET RBN Known Russian Business Network IP TCP (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network IP UDP (1) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network IP TCP (2) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network IP UDP (2) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network IP TCP (3) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network IP UDP (3) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network IP TCP (4) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network IP UDP (4) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network IP TCP (5) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network IP UDP (5) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network IP TCP (6) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network IP UDP (6) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network IP TCP (7) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network IP UDP (7) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network IP TCP (8) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network IP UDP (8) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network IP TCP (9) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network IP UDP (9) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network IP TCP (10) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network IP UDP (10) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network IP TCP (11) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network IP UDP (11) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network IP TCP (12) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network IP UDP (12) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network IP TCP (13) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network IP UDP (13) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network IP TCP (14) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network IP UDP (14) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network IP TCP (15) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network IP UDP (15) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network IP TCP (16) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network IP UDP (16) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network IP TCP (17) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network IP UDP (17) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network IP TCP (18) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network IP UDP (18) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network IP TCP (19) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network IP UDP (19) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network IP TCP (20) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network IP UDP (20) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network IP TCP (21) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network IP UDP (21) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network IP TCP (22) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network IP UDP (22) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network IP TCP (23) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network IP UDP (23) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network IP TCP (24) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network IP UDP (24) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network IP TCP (25) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network IP UDP (25) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network IP TCP (26) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network IP UDP (26) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network IP TCP (27) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network IP UDP (27) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network IP TCP (28) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network IP UDP (28) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network IP TCP (29) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network IP UDP (29) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network IP TCP (30) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network IP UDP (30) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network IP TCP (31) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network IP UDP (31) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network IP TCP (32) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network IP UDP (32) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network IP TCP (33) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network IP UDP (33) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network IP TCP (34) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network IP UDP (34) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network IP TCP (35) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network IP UDP (35) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network IP TCP (36) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network IP UDP (36) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network IP TCP (37) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network IP UDP (37) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network IP TCP (38) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network IP UDP (38) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network IP TCP (39) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network IP UDP (39) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network IP TCP (40) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network IP UDP (40) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network IP TCP (41) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network IP UDP (41) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network IP TCP (42) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network IP UDP (42) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network IP TCP (43) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network IP UDP (43) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network IP TCP (44) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network IP UDP (44) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network IP TCP (45) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network IP UDP (45) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network IP TCP (46) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network IP UDP (46) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network IP TCP (47) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network IP UDP (47) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network IP TCP (48) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network IP UDP (48) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network IP TCP (49) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network IP UDP (49) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network IP TCP (50) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network IP UDP (50) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network IP TCP (51) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network IP UDP (51) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network IP TCP (52) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network IP UDP (52) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network IP TCP (53) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network IP UDP (53) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network IP TCP (54) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network IP UDP (54) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network IP TCP (55) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network IP UDP (55) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network IP TCP (56) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network IP UDP (56) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network IP TCP (57) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network IP UDP (57) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network IP TCP (58) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network IP UDP (58) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network IP TCP (59) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network IP UDP (59) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network IP TCP (60) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network IP UDP (60) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network IP TCP (61) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network IP UDP (61) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network IP TCP (62) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network IP UDP (62) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network IP TCP (63) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network IP UDP (63) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network IP TCP (64) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network IP UDP (64) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network IP TCP (65) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network IP UDP (65) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network IP TCP (66) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network IP UDP (66) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network IP TCP (67) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network IP UDP (67) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network IP TCP (68) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network IP UDP (68) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network IP TCP (69) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network IP UDP (69) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network IP TCP (70) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network IP UDP (70) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network IP TCP (71) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network IP UDP (71) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network IP TCP (72) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network IP UDP (72) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network IP TCP (73) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network IP UDP (73) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network IP TCP (74) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network IP UDP (74) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network IP TCP (75) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network IP UDP (75) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network IP TCP (76) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network IP UDP (76) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network IP TCP (77) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network IP UDP (77) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network IP TCP (78) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network IP UDP (78) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network IP TCP (79) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network IP UDP (79) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network IP TCP (80) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network IP UDP (80) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network IP TCP (81) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network IP UDP (81) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network IP TCP (82) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network IP UDP (82) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network IP TCP (83) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network IP UDP (83) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network IP TCP (84) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network IP UDP (84) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network IP TCP (85) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network IP UDP (85) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network IP TCP (86) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network IP UDP (86) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network IP TCP (87) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network IP UDP (87) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network IP TCP (88) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network IP UDP (88) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network IP TCP (89) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network IP UDP (89) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network IP TCP (90) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network IP UDP (90) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network IP TCP (91) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network IP UDP (91) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network IP TCP (92) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network IP UDP (92) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network IP TCP (93) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network IP UDP (93) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network IP TCP (94) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network IP UDP (94) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network IP TCP (95) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network IP UDP (95) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network IP TCP (96) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network IP UDP (96) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network IP TCP (97) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network IP UDP (97) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network IP TCP (98) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network IP UDP (98) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network IP TCP (99) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network IP UDP (99) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network IP TCP (100) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network IP UDP (100) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network IP TCP (101) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network IP UDP (101) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network IP TCP (102) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network IP UDP (102) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network IP TCP (103) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network IP UDP (103) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network IP TCP (104) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network IP UDP (104) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network IP TCP (105) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network IP UDP (105) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network IP TCP (106) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network IP UDP (106) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network IP TCP (107) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network IP UDP (107) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network IP TCP (108) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network IP UDP (108) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network IP TCP (109) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network IP UDP (109) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network IP TCP (110) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network IP UDP (110) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network IP TCP (111) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network IP UDP (111) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network IP TCP (112) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network IP UDP (112) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network IP TCP (113) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network IP UDP (113) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network IP TCP (114) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network IP UDP (114) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network IP TCP (115) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network IP UDP (115) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network IP TCP (116) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network IP UDP (116) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network IP TCP (117) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network IP UDP (117) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network IP TCP (118) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network IP UDP (118) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network IP TCP (119) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network IP UDP (119) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network IP TCP (120) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network IP UDP (120) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network IP TCP (121) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network IP UDP (121) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network IP TCP (122) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network IP UDP (122) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network IP TCP (123) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network IP UDP (123) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network IP TCP (124) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network IP UDP (124) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network IP TCP (125) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network IP UDP (125) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network IP TCP (126) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network IP UDP (126) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network IP TCP (127) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network IP UDP (127) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network IP TCP (128) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network IP UDP (128) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network IP TCP (129) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network IP UDP (129) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network IP TCP (130) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network IP UDP (130) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network IP TCP (131) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network IP UDP (131) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network IP TCP (132) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network IP UDP (132) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network IP TCP (133) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network IP UDP (133) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network IP TCP (134) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network IP UDP (134) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network IP TCP (135) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network IP UDP (135) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network IP TCP (136) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network IP UDP (136) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network IP TCP (137) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network IP UDP (137) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network IP TCP (138) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network IP UDP (138) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network IP TCP (139) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network IP UDP (139) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network IP TCP (140) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network IP UDP (140) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network IP TCP (141) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network IP UDP (141) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network IP TCP (142) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network IP UDP (142) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network IP TCP (143) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network IP UDP (143) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network IP TCP (144) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network IP UDP (144) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network IP TCP (145) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network IP UDP (145) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network IP TCP (146) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network IP UDP (146) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network IP TCP (147) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network IP UDP (147) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network IP TCP (148) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network IP UDP (148) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network IP TCP (149) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network IP UDP (149) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network IP TCP (150) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network IP UDP (150) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network IP TCP (151) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network IP UDP (151) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network IP TCP (152) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network IP UDP (152) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network IP TCP (153) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network IP UDP (153) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network IP TCP (154) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network IP UDP (154) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network IP TCP (155) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network IP UDP (155) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network IP TCP (156) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network IP UDP (156) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network IP TCP (157) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network IP UDP (157) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network IP TCP (158) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network IP UDP (158) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network IP TCP (159) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network IP UDP (159) (emerging-rbn.rules) 2406318 - ET RBN Known Russian Business Network IP TCP (160) (emerging-rbn.rules) 2406319 - ET RBN Known Russian Business Network IP UDP (160) (emerging-rbn.rules) 2406320 - ET RBN Known Russian Business Network IP TCP (161) (emerging-rbn.rules) 2406321 - ET RBN Known Russian Business Network IP UDP (161) (emerging-rbn.rules) 2406322 - ET RBN Known Russian Business Network IP TCP (162) (emerging-rbn.rules) 2406323 - ET RBN Known Russian Business Network IP UDP (162) (emerging-rbn.rules) 2406324 - ET RBN Known Russian Business Network IP TCP (163) (emerging-rbn.rules) 2406325 - ET RBN Known Russian Business Network IP UDP (163) (emerging-rbn.rules) 2406326 - ET RBN Known Russian Business Network IP TCP (164) (emerging-rbn.rules) 2406327 - ET RBN Known Russian Business Network IP UDP (164) (emerging-rbn.rules) 2406328 - ET RBN Known Russian Business Network IP TCP (165) (emerging-rbn.rules) 2406329 - ET RBN Known Russian Business Network IP UDP (165) (emerging-rbn.rules) 2406330 - ET RBN Known Russian Business Network IP TCP (166) (emerging-rbn.rules) 2406331 - ET RBN Known Russian Business Network IP UDP (166) (emerging-rbn.rules) 2406332 - ET RBN Known Russian Business Network IP TCP (167) (emerging-rbn.rules) 2406333 - ET RBN Known Russian Business Network IP UDP (167) (emerging-rbn.rules) 2406334 - ET RBN Known Russian Business Network IP TCP (168) (emerging-rbn.rules) 2406335 - ET RBN Known Russian Business Network IP UDP (168) (emerging-rbn.rules) 2406336 - ET RBN Known Russian Business Network IP TCP (169) (emerging-rbn.rules) 2406337 - ET RBN Known Russian Business Network IP UDP (169) (emerging-rbn.rules) 2406338 - ET RBN Known Russian Business Network IP TCP (170) (emerging-rbn.rules) 2406339 - ET RBN Known Russian Business Network IP UDP (170) (emerging-rbn.rules) 2406340 - ET RBN Known Russian Business Network IP TCP (171) (emerging-rbn.rules) 2406341 - ET RBN Known Russian Business Network IP UDP (171) (emerging-rbn.rules) 2406342 - ET RBN Known Russian Business Network IP TCP (172) (emerging-rbn.rules) 2406343 - ET RBN Known Russian Business Network IP UDP (172) (emerging-rbn.rules) 2406344 - ET RBN Known Russian Business Network IP TCP (173) (emerging-rbn.rules) 2406345 - ET RBN Known Russian Business Network IP UDP (173) (emerging-rbn.rules) 2406346 - ET RBN Known Russian Business Network IP TCP (174) (emerging-rbn.rules) 2406347 - ET RBN Known Russian Business Network IP UDP (174) (emerging-rbn.rules) 2406348 - ET RBN Known Russian Business Network IP TCP (175) (emerging-rbn.rules) 2406349 - ET RBN Known Russian Business Network IP UDP (175) (emerging-rbn.rules) 2406350 - ET RBN Known Russian Business Network IP TCP (176) (emerging-rbn.rules) 2406351 - ET RBN Known Russian Business Network IP UDP (176) (emerging-rbn.rules) 2406352 - ET RBN Known Russian Business Network IP TCP (177) (emerging-rbn.rules) 2406353 - ET RBN Known Russian Business Network IP UDP (177) (emerging-rbn.rules) 2406354 - ET RBN Known Russian Business Network IP TCP (178) (emerging-rbn.rules) 2406355 - ET RBN Known Russian Business Network IP UDP (178) (emerging-rbn.rules) 2406356 - ET RBN Known Russian Business Network IP TCP (179) (emerging-rbn.rules) 2406357 - ET RBN Known Russian Business Network IP UDP (179) (emerging-rbn.rules) 2406358 - ET RBN Known Russian Business Network IP TCP (180) (emerging-rbn.rules) 2406359 - ET RBN Known Russian Business Network IP UDP (180) (emerging-rbn.rules) 2406360 - ET RBN Known Russian Business Network IP TCP (181) (emerging-rbn.rules) 2406361 - ET RBN Known Russian Business Network IP UDP (181) (emerging-rbn.rules) 2406362 - ET RBN Known Russian Business Network IP TCP (182) (emerging-rbn.rules) 2406363 - ET RBN Known Russian Business Network IP UDP (182) (emerging-rbn.rules) 2406364 - ET RBN Known Russian Business Network IP TCP (183) (emerging-rbn.rules) 2406365 - ET RBN Known Russian Business Network IP UDP (183) (emerging-rbn.rules) 2406366 - ET RBN Known Russian Business Network IP TCP (184) (emerging-rbn.rules) 2406367 - ET RBN Known Russian Business Network IP UDP (184) (emerging-rbn.rules) 2406368 - ET RBN Known Russian Business Network IP TCP (185) (emerging-rbn.rules) 2406369 - ET RBN Known Russian Business Network IP UDP (185) (emerging-rbn.rules) 2406370 - ET RBN Known Russian Business Network IP TCP (186) (emerging-rbn.rules) 2406371 - ET RBN Known Russian Business Network IP UDP (186) (emerging-rbn.rules) 2406372 - ET RBN Known Russian Business Network IP TCP (187) (emerging-rbn.rules) 2406373 - ET RBN Known Russian Business Network IP UDP (187) (emerging-rbn.rules) 2406374 - ET RBN Known Russian Business Network IP TCP (188) (emerging-rbn.rules) 2406375 - ET RBN Known Russian Business Network IP UDP (188) (emerging-rbn.rules) 2406376 - ET RBN Known Russian Business Network IP TCP (189) (emerging-rbn.rules) 2406377 - ET RBN Known Russian Business Network IP UDP (189) (emerging-rbn.rules) 2406378 - ET RBN Known Russian Business Network IP TCP (190) (emerging-rbn.rules) 2406379 - ET RBN Known Russian Business Network IP UDP (190) (emerging-rbn.rules) 2406380 - ET RBN Known Russian Business Network IP TCP (191) (emerging-rbn.rules) 2406381 - ET RBN Known Russian Business Network IP UDP (191) (emerging-rbn.rules) 2406382 - ET RBN Known Russian Business Network IP TCP (192) (emerging-rbn.rules) 2406383 - ET RBN Known Russian Business Network IP UDP (192) (emerging-rbn.rules) 2406384 - ET RBN Known Russian Business Network IP TCP (193) (emerging-rbn.rules) 2406385 - ET RBN Known Russian Business Network IP UDP (193) (emerging-rbn.rules) 2406386 - ET RBN Known Russian Business Network IP TCP (194) (emerging-rbn.rules) 2406387 - ET RBN Known Russian Business Network IP UDP (194) (emerging-rbn.rules) 2406388 - ET RBN Known Russian Business Network IP TCP (195) (emerging-rbn.rules) 2406389 - ET RBN Known Russian Business Network IP UDP (195) (emerging-rbn.rules) 2406390 - ET RBN Known Russian Business Network IP TCP (196) (emerging-rbn.rules) 2406391 - ET RBN Known Russian Business Network IP UDP (196) (emerging-rbn.rules) 2406392 - ET RBN Known Russian Business Network IP TCP (197) (emerging-rbn.rules) 2406393 - ET RBN Known Russian Business Network IP UDP (197) (emerging-rbn.rules) 2406394 - ET RBN Known Russian Business Network IP TCP (198) (emerging-rbn.rules) 2406395 - ET RBN Known Russian Business Network IP UDP (198) (emerging-rbn.rules) 2406396 - ET RBN Known Russian Business Network IP TCP (199) (emerging-rbn.rules) 2406397 - ET RBN Known Russian Business Network IP UDP (199) (emerging-rbn.rules) 2406398 - ET RBN Known Russian Business Network IP TCP (200) (emerging-rbn.rules) 2406399 - ET RBN Known Russian Business Network IP UDP (200) (emerging-rbn.rules) 2406400 - ET RBN Known Russian Business Network IP TCP (201) (emerging-rbn.rules) 2406401 - ET RBN Known Russian Business Network IP UDP (201) (emerging-rbn.rules) 2406402 - ET RBN Known Russian Business Network IP TCP (202) (emerging-rbn.rules) 2406403 - ET RBN Known Russian Business Network IP UDP (202) (emerging-rbn.rules) 2406404 - ET RBN Known Russian Business Network IP TCP (203) (emerging-rbn.rules) 2406405 - ET RBN Known Russian Business Network IP UDP (203) (emerging-rbn.rules) 2406406 - ET RBN Known Russian Business Network IP TCP (204) (emerging-rbn.rules) 2406407 - ET RBN Known Russian Business Network IP UDP (204) (emerging-rbn.rules) 2406408 - ET RBN Known Russian Business Network IP TCP (205) (emerging-rbn.rules) 2406409 - ET RBN Known Russian Business Network IP UDP (205) (emerging-rbn.rules) 2406410 - ET RBN Known Russian Business Network IP TCP (206) (emerging-rbn.rules) 2406411 - ET RBN Known Russian Business Network IP UDP (206) (emerging-rbn.rules) 2406412 - ET RBN Known Russian Business Network IP TCP (207) (emerging-rbn.rules) 2406413 - ET RBN Known Russian Business Network IP UDP (207) (emerging-rbn.rules) 2406414 - ET RBN Known Russian Business Network IP TCP (208) (emerging-rbn.rules) 2406415 - ET RBN Known Russian Business Network IP UDP (208) (emerging-rbn.rules) 2406416 - ET RBN Known Russian Business Network IP TCP (209) (emerging-rbn.rules) 2406417 - ET RBN Known Russian Business Network IP UDP (209) (emerging-rbn.rules) 2406418 - ET RBN Known Russian Business Network IP TCP (210) (emerging-rbn.rules) 2406419 - ET RBN Known Russian Business Network IP UDP (210) (emerging-rbn.rules) 2406420 - ET RBN Known Russian Business Network IP TCP (211) (emerging-rbn.rules) 2406421 - ET RBN Known Russian Business Network IP UDP (211) (emerging-rbn.rules) 2406422 - ET RBN Known Russian Business Network IP TCP (212) (emerging-rbn.rules) 2406423 - ET RBN Known Russian Business Network IP UDP (212) (emerging-rbn.rules) 2406424 - ET RBN Known Russian Business Network IP TCP (213) (emerging-rbn.rules) 2406425 - ET RBN Known Russian Business Network IP UDP (213) (emerging-rbn.rules) 2406426 - ET RBN Known Russian Business Network IP TCP (214) (emerging-rbn.rules) 2406427 - ET RBN Known Russian Business Network IP UDP (214) (emerging-rbn.rules) 2406428 - ET RBN Known Russian Business Network IP TCP (215) (emerging-rbn.rules) 2406429 - ET RBN Known Russian Business Network IP UDP (215) (emerging-rbn.rules) 2406430 - ET RBN Known Russian Business Network IP TCP (216) (emerging-rbn.rules) 2406431 - ET RBN Known Russian Business Network IP UDP (216) (emerging-rbn.rules) 2406432 - ET RBN Known Russian Business Network IP TCP (217) (emerging-rbn.rules) 2406433 - ET RBN Known Russian Business Network IP UDP (217) (emerging-rbn.rules) 2406434 - ET RBN Known Russian Business Network IP TCP (218) (emerging-rbn.rules) 2406435 - ET RBN Known Russian Business Network IP UDP (218) (emerging-rbn.rules) 2406436 - ET RBN Known Russian Business Network IP TCP (219) (emerging-rbn.rules) 2406437 - ET RBN Known Russian Business Network IP UDP (219) (emerging-rbn.rules) 2406438 - ET RBN Known Russian Business Network IP TCP (220) (emerging-rbn.rules) 2406439 - ET RBN Known Russian Business Network IP UDP (220) (emerging-rbn.rules) 2406440 - ET RBN Known Russian Business Network IP TCP (221) (emerging-rbn.rules) 2406441 - ET RBN Known Russian Business Network IP UDP (221) (emerging-rbn.rules) 2406442 - ET RBN Known Russian Business Network IP TCP (222) (emerging-rbn.rules) 2406443 - ET RBN Known Russian Business Network IP UDP (222) (emerging-rbn.rules) 2406444 - ET RBN Known Russian Business Network IP TCP (223) (emerging-rbn.rules) 2406445 - ET RBN Known Russian Business Network IP UDP (223) (emerging-rbn.rules) 2406446 - ET RBN Known Russian Business Network IP TCP (224) (emerging-rbn.rules) 2406447 - ET RBN Known Russian Business Network IP UDP (224) (emerging-rbn.rules) 2406448 - ET RBN Known Russian Business Network IP TCP (225) (emerging-rbn.rules) 2406449 - ET RBN Known Russian Business Network IP UDP (225) (emerging-rbn.rules) 2406450 - ET RBN Known Russian Business Network IP TCP (226) (emerging-rbn.rules) 2406451 - ET RBN Known Russian Business Network IP UDP (226) (emerging-rbn.rules) 2406452 - ET RBN Known Russian Business Network IP TCP (227) (emerging-rbn.rules) 2406453 - ET RBN Known Russian Business Network IP UDP (227) (emerging-rbn.rules) 2406454 - ET RBN Known Russian Business Network IP TCP (228) (emerging-rbn.rules) 2406455 - ET RBN Known Russian Business Network IP UDP (228) (emerging-rbn.rules) 2406456 - ET RBN Known Russian Business Network IP TCP (229) (emerging-rbn.rules) 2406457 - ET RBN Known Russian Business Network IP UDP (229) (emerging-rbn.rules) 2406458 - ET RBN Known Russian Business Network IP TCP (230) (emerging-rbn.rules) 2406459 - ET RBN Known Russian Business Network IP UDP (230) (emerging-rbn.rules) 2406460 - ET RBN Known Russian Business Network IP TCP (231) (emerging-rbn.rules) 2406461 - ET RBN Known Russian Business Network IP UDP (231) (emerging-rbn.rules) 2406462 - ET RBN Known Russian Business Network IP TCP (232) (emerging-rbn.rules) 2406463 - ET RBN Known Russian Business Network IP UDP (232) (emerging-rbn.rules) 2406464 - ET RBN Known Russian Business Network IP TCP (233) (emerging-rbn.rules) 2406465 - ET RBN Known Russian Business Network IP UDP (233) (emerging-rbn.rules) 2406466 - ET RBN Known Russian Business Network IP TCP (234) (emerging-rbn.rules) 2406467 - ET RBN Known Russian Business Network IP UDP (234) (emerging-rbn.rules) 2406468 - ET RBN Known Russian Business Network IP TCP (235) (emerging-rbn.rules) 2406469 - ET RBN Known Russian Business Network IP UDP (235) (emerging-rbn.rules) 2406470 - ET RBN Known Russian Business Network IP TCP (236) (emerging-rbn.rules) 2406471 - ET RBN Known Russian Business Network IP UDP (236) (emerging-rbn.rules) 2406472 - ET RBN Known Russian Business Network IP TCP (237) (emerging-rbn.rules) 2406473 - ET RBN Known Russian Business Network IP UDP (237) (emerging-rbn.rules) 2406474 - ET RBN Known Russian Business Network IP TCP (238) (emerging-rbn.rules) 2406475 - ET RBN Known Russian Business Network IP UDP (238) (emerging-rbn.rules) 2406476 - ET RBN Known Russian Business Network IP TCP (239) (emerging-rbn.rules) 2406477 - ET RBN Known Russian Business Network IP UDP (239) (emerging-rbn.rules) 2406478 - ET RBN Known Russian Business Network IP TCP (240) (emerging-rbn.rules) 2406479 - ET RBN Known Russian Business Network IP UDP (240) (emerging-rbn.rules) 2406480 - ET RBN Known Russian Business Network IP TCP (241) (emerging-rbn.rules) 2406481 - ET RBN Known Russian Business Network IP UDP (241) (emerging-rbn.rules) 2406482 - ET RBN Known Russian Business Network IP TCP (242) (emerging-rbn.rules) 2406483 - ET RBN Known Russian Business Network IP UDP (242) (emerging-rbn.rules) 2406484 - ET RBN Known Russian Business Network IP TCP (243) (emerging-rbn.rules) 2406485 - ET RBN Known Russian Business Network IP UDP (243) (emerging-rbn.rules) 2406486 - ET RBN Known Russian Business Network IP TCP (244) (emerging-rbn.rules) 2406487 - ET RBN Known Russian Business Network IP UDP (244) (emerging-rbn.rules) 2406488 - ET RBN Known Russian Business Network IP TCP (245) (emerging-rbn.rules) 2406489 - ET RBN Known Russian Business Network IP UDP (245) (emerging-rbn.rules) 2406490 - ET RBN Known Russian Business Network IP TCP (246) (emerging-rbn.rules) 2406491 - ET RBN Known Russian Business Network IP UDP (246) (emerging-rbn.rules) 2406492 - ET RBN Known Russian Business Network IP TCP (247) (emerging-rbn.rules) 2406493 - ET RBN Known Russian Business Network IP UDP (247) (emerging-rbn.rules) 2406494 - ET RBN Known Russian Business Network IP TCP (248) (emerging-rbn.rules) 2406495 - ET RBN Known Russian Business Network IP UDP (248) (emerging-rbn.rules) 2406496 - ET RBN Known Russian Business Network IP TCP (249) (emerging-rbn.rules) 2406497 - ET RBN Known Russian Business Network IP UDP (249) (emerging-rbn.rules) 2406498 - ET RBN Known Russian Business Network IP TCP (250) (emerging-rbn.rules) 2406499 - ET RBN Known Russian Business Network IP UDP (250) (emerging-rbn.rules) 2406500 - ET RBN Known Russian Business Network IP TCP (251) (emerging-rbn.rules) 2406501 - ET RBN Known Russian Business Network IP UDP (251) (emerging-rbn.rules) 2406502 - ET RBN Known Russian Business Network IP TCP (252) (emerging-rbn.rules) 2406503 - ET RBN Known Russian Business Network IP UDP (252) (emerging-rbn.rules) 2406504 - ET RBN Known Russian Business Network IP TCP (253) (emerging-rbn.rules) 2406505 - ET RBN Known Russian Business Network IP UDP (253) (emerging-rbn.rules) 2406506 - ET RBN Known Russian Business Network IP TCP (254) (emerging-rbn.rules) 2406507 - ET RBN Known Russian Business Network IP UDP (254) (emerging-rbn.rules) 2406508 - ET RBN Known Russian Business Network IP TCP (255) (emerging-rbn.rules) 2406509 - ET RBN Known Russian Business Network IP UDP (255) (emerging-rbn.rules) 2406510 - ET RBN Known Russian Business Network IP TCP (256) (emerging-rbn.rules) 2406511 - ET RBN Known Russian Business Network IP UDP (256) (emerging-rbn.rules) 2406512 - ET RBN Known Russian Business Network IP TCP (257) (emerging-rbn.rules) 2406513 - ET RBN Known Russian Business Network IP UDP (257) (emerging-rbn.rules) 2406514 - ET RBN Known Russian Business Network IP TCP (258) (emerging-rbn.rules) 2406515 - ET RBN Known Russian Business Network IP UDP (258) (emerging-rbn.rules) 2406516 - ET RBN Known Russian Business Network IP TCP (259) (emerging-rbn.rules) 2406517 - ET RBN Known Russian Business Network IP UDP (259) (emerging-rbn.rules) 2406518 - ET RBN Known Russian Business Network IP TCP (260) (emerging-rbn.rules) 2406519 - ET RBN Known Russian Business Network IP UDP (260) (emerging-rbn.rules) 2406520 - ET RBN Known Russian Business Network IP TCP (261) (emerging-rbn.rules) 2406521 - ET RBN Known Russian Business Network IP UDP (261) (emerging-rbn.rules) 2406522 - ET RBN Known Russian Business Network IP TCP (262) (emerging-rbn.rules) 2406523 - ET RBN Known Russian Business Network IP UDP (262) (emerging-rbn.rules) 2406524 - ET RBN Known Russian Business Network IP TCP (263) (emerging-rbn.rules) 2406525 - ET RBN Known Russian Business Network IP UDP (263) (emerging-rbn.rules) 2406526 - ET RBN Known Russian Business Network IP TCP (264) (emerging-rbn.rules) 2406527 - ET RBN Known Russian Business Network IP UDP (264) (emerging-rbn.rules) 2406528 - ET RBN Known Russian Business Network IP TCP (265) (emerging-rbn.rules) 2406529 - ET RBN Known Russian Business Network IP UDP (265) (emerging-rbn.rules) 2406530 - ET RBN Known Russian Business Network IP TCP (266) (emerging-rbn.rules) 2406531 - ET RBN Known Russian Business Network IP UDP (266) (emerging-rbn.rules) 2406532 - ET RBN Known Russian Business Network IP TCP (267) (emerging-rbn.rules) 2406533 - ET RBN Known Russian Business Network IP UDP (267) (emerging-rbn.rules) 2406534 - ET RBN Known Russian Business Network IP TCP (268) (emerging-rbn.rules) 2406535 - ET RBN Known Russian Business Network IP UDP (268) (emerging-rbn.rules) 2406536 - ET RBN Known Russian Business Network IP TCP (269) (emerging-rbn.rules) 2406537 - ET RBN Known Russian Business Network IP UDP (269) (emerging-rbn.rules) 2406538 - ET RBN Known Russian Business Network IP TCP (270) (emerging-rbn.rules) 2406539 - ET RBN Known Russian Business Network IP UDP (270) (emerging-rbn.rules) 2406540 - ET RBN Known Russian Business Network IP TCP (271) (emerging-rbn.rules) 2406541 - ET RBN Known Russian Business Network IP UDP (271) (emerging-rbn.rules) 2406542 - ET RBN Known Russian Business Network IP TCP (272) (emerging-rbn.rules) 2406543 - ET RBN Known Russian Business Network IP UDP (272) (emerging-rbn.rules) 2406544 - ET RBN Known Russian Business Network IP TCP (273) (emerging-rbn.rules) 2406545 - ET RBN Known Russian Business Network IP UDP (273) (emerging-rbn.rules) 2406546 - ET RBN Known Russian Business Network IP TCP (274) (emerging-rbn.rules) 2406547 - ET RBN Known Russian Business Network IP UDP (274) (emerging-rbn.rules) 2406548 - ET RBN Known Russian Business Network IP TCP (275) (emerging-rbn.rules) 2406549 - ET RBN Known Russian Business Network IP UDP (275) (emerging-rbn.rules) 2406550 - ET RBN Known Russian Business Network IP TCP (276) (emerging-rbn.rules) 2406551 - ET RBN Known Russian Business Network IP UDP (276) (emerging-rbn.rules) 2406552 - ET RBN Known Russian Business Network IP TCP (277) (emerging-rbn.rules) 2406553 - ET RBN Known Russian Business Network IP UDP (277) (emerging-rbn.rules) 2406554 - ET RBN Known Russian Business Network IP TCP (278) (emerging-rbn.rules) 2406555 - ET RBN Known Russian Business Network IP UDP (278) (emerging-rbn.rules) 2406556 - ET RBN Known Russian Business Network IP TCP (279) (emerging-rbn.rules) 2406557 - ET RBN Known Russian Business Network IP UDP (279) (emerging-rbn.rules) 2406558 - ET RBN Known Russian Business Network IP TCP (280) (emerging-rbn.rules) 2406559 - ET RBN Known Russian Business Network IP UDP (280) (emerging-rbn.rules) 2406560 - ET RBN Known Russian Business Network IP TCP (281) (emerging-rbn.rules) 2406561 - ET RBN Known Russian Business Network IP UDP (281) (emerging-rbn.rules) 2406562 - ET RBN Known Russian Business Network IP TCP (282) (emerging-rbn.rules) 2406563 - ET RBN Known Russian Business Network IP UDP (282) (emerging-rbn.rules) 2406564 - ET RBN Known Russian Business Network IP TCP (283) (emerging-rbn.rules) 2406565 - ET RBN Known Russian Business Network IP UDP (283) (emerging-rbn.rules) 2406566 - ET RBN Known Russian Business Network IP TCP (284) (emerging-rbn.rules) 2406567 - ET RBN Known Russian Business Network IP UDP (284) (emerging-rbn.rules) 2406568 - ET RBN Known Russian Business Network IP TCP (285) (emerging-rbn.rules) 2406569 - ET RBN Known Russian Business Network IP UDP (285) (emerging-rbn.rules) 2406570 - ET RBN Known Russian Business Network IP TCP (286) (emerging-rbn.rules) 2406571 - ET RBN Known Russian Business Network IP UDP (286) (emerging-rbn.rules) 2406572 - ET RBN Known Russian Business Network IP TCP (287) (emerging-rbn.rules) 2406573 - ET RBN Known Russian Business Network IP UDP (287) (emerging-rbn.rules) 2406574 - ET RBN Known Russian Business Network IP TCP (288) (emerging-rbn.rules) 2406575 - ET RBN Known Russian Business Network IP UDP (288) (emerging-rbn.rules) 2406576 - ET RBN Known Russian Business Network IP TCP (289) (emerging-rbn.rules) 2406577 - ET RBN Known Russian Business Network IP UDP (289) (emerging-rbn.rules) 2406578 - ET RBN Known Russian Business Network IP TCP (290) (emerging-rbn.rules) 2406579 - ET RBN Known Russian Business Network IP UDP (290) (emerging-rbn.rules) 2406580 - ET RBN Known Russian Business Network IP TCP (291) (emerging-rbn.rules) 2406581 - ET RBN Known Russian Business Network IP UDP (291) (emerging-rbn.rules) 2406582 - ET RBN Known Russian Business Network IP TCP (292) (emerging-rbn.rules) 2406583 - ET RBN Known Russian Business Network IP UDP (292) (emerging-rbn.rules) 2406584 - ET RBN Known Russian Business Network IP TCP (293) (emerging-rbn.rules) 2406585 - ET RBN Known Russian Business Network IP UDP (293) (emerging-rbn.rules) 2406586 - ET RBN Known Russian Business Network IP TCP (294) (emerging-rbn.rules) 2406587 - ET RBN Known Russian Business Network IP UDP (294) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network IP TCP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network IP UDP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network IP TCP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network IP UDP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network IP TCP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network IP UDP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network IP TCP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network IP UDP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network IP TCP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network IP UDP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network IP TCP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network IP UDP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network IP TCP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network IP UDP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network IP TCP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network IP UDP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network IP TCP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network IP UDP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network IP TCP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network IP UDP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network IP TCP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network IP UDP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network IP TCP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network IP UDP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network IP TCP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network IP UDP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network IP TCP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network IP UDP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network IP TCP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network IP UDP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network IP TCP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network IP UDP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network IP TCP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network IP UDP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network IP TCP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network IP UDP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network IP TCP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network IP UDP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network IP TCP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network IP UDP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network IP TCP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network IP UDP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network IP TCP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network IP UDP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network IP TCP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network IP UDP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network IP TCP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network IP UDP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network IP TCP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network IP UDP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network IP TCP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network IP UDP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network IP TCP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network IP UDP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network IP TCP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network IP UDP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network IP TCP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network IP UDP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network IP TCP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network IP UDP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network IP TCP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network IP UDP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network IP TCP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network IP UDP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network IP TCP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network IP UDP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network IP TCP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network IP UDP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network IP TCP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network IP UDP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network IP TCP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network IP UDP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network IP TCP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network IP UDP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network IP TCP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network IP UDP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network IP TCP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network IP UDP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network IP TCP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network IP UDP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network IP TCP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network IP UDP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network IP TCP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network IP UDP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network IP TCP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network IP UDP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network IP TCP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network IP UDP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network IP TCP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network IP UDP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network IP TCP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network IP UDP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network IP TCP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network IP UDP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network IP TCP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network IP UDP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network IP TCP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network IP UDP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network IP TCP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network IP UDP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network IP TCP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network IP UDP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network IP TCP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network IP UDP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network IP TCP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network IP UDP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network IP TCP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network IP UDP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network IP TCP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network IP UDP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network IP TCP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network IP UDP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network IP TCP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network IP UDP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network IP TCP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network IP UDP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network IP TCP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network IP UDP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network IP TCP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network IP UDP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network IP TCP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network IP UDP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network IP TCP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network IP UDP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network IP TCP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network IP UDP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network IP TCP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network IP UDP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network IP TCP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network IP UDP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network IP TCP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network IP UDP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network IP TCP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network IP UDP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network IP TCP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network IP UDP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network IP TCP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network IP UDP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network IP TCP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network IP UDP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network IP TCP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network IP UDP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network IP TCP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network IP UDP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network IP TCP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network IP UDP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network IP TCP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network IP UDP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network IP TCP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network IP UDP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network IP TCP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network IP UDP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network IP TCP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network IP UDP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network IP TCP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network IP UDP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network IP TCP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network IP UDP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network IP TCP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network IP UDP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network IP TCP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network IP UDP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network IP TCP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network IP UDP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network IP TCP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network IP UDP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network IP TCP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network IP UDP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network IP TCP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network IP UDP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network IP TCP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network IP UDP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network IP TCP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network IP UDP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network IP TCP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network IP UDP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network IP TCP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network IP UDP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network IP TCP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network IP UDP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network IP TCP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network IP UDP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network IP TCP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network IP UDP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network IP TCP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network IP UDP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network IP TCP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network IP UDP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network IP TCP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network IP UDP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network IP TCP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network IP UDP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network IP TCP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network IP UDP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network IP TCP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network IP UDP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network IP TCP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network IP UDP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network IP TCP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network IP UDP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network IP TCP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network IP UDP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network IP TCP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network IP UDP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network IP TCP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network IP UDP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network IP TCP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network IP UDP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network IP TCP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network IP UDP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network IP TCP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network IP UDP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network IP TCP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network IP UDP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network IP TCP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network IP UDP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network IP TCP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network IP UDP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network IP TCP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network IP UDP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network IP TCP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network IP UDP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network IP TCP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network IP UDP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network IP TCP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network IP UDP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network IP TCP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network IP UDP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network IP TCP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network IP UDP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network IP TCP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network IP UDP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network IP TCP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network IP UDP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network IP TCP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network IP UDP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network IP TCP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network IP UDP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network IP TCP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network IP UDP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network IP TCP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network IP UDP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network IP TCP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network IP UDP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network IP TCP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network IP UDP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network IP TCP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network IP UDP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network IP TCP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network IP UDP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network IP TCP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network IP UDP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network IP TCP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network IP UDP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network IP TCP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network IP UDP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network IP TCP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network IP UDP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network IP TCP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network IP UDP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network IP TCP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network IP UDP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network IP TCP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network IP UDP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network IP TCP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network IP UDP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network IP TCP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network IP UDP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network IP TCP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network IP UDP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network IP TCP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network IP UDP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network IP TCP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network IP UDP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network IP TCP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network IP UDP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network IP TCP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network IP UDP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network IP TCP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network IP UDP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network IP TCP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network IP UDP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network IP TCP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network IP UDP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network IP TCP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network IP UDP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network IP TCP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network IP UDP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network IP TCP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network IP UDP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network IP TCP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network IP UDP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network IP TCP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network IP UDP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network IP TCP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network IP UDP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network IP TCP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network IP UDP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network IP TCP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network IP UDP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network IP TCP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network IP UDP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network IP TCP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network IP UDP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network IP TCP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network IP UDP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network IP TCP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network IP UDP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network IP TCP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network IP UDP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network IP TCP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network IP UDP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network IP TCP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network IP UDP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network IP TCP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network IP UDP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network IP TCP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407317 - ET RBN Known Russian Business Network IP UDP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407318 - ET RBN Known Russian Business Network IP TCP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407319 - ET RBN Known Russian Business Network IP UDP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407320 - ET RBN Known Russian Business Network IP TCP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407321 - ET RBN Known Russian Business Network IP UDP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407322 - ET RBN Known Russian Business Network IP TCP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407323 - ET RBN Known Russian Business Network IP UDP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407324 - ET RBN Known Russian Business Network IP TCP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407325 - ET RBN Known Russian Business Network IP UDP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407326 - ET RBN Known Russian Business Network IP TCP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407327 - ET RBN Known Russian Business Network IP UDP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407328 - ET RBN Known Russian Business Network IP TCP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407329 - ET RBN Known Russian Business Network IP UDP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407330 - ET RBN Known Russian Business Network IP TCP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407331 - ET RBN Known Russian Business Network IP UDP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407332 - ET RBN Known Russian Business Network IP TCP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407333 - ET RBN Known Russian Business Network IP UDP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407334 - ET RBN Known Russian Business Network IP TCP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407335 - ET RBN Known Russian Business Network IP UDP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407336 - ET RBN Known Russian Business Network IP TCP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407337 - ET RBN Known Russian Business Network IP UDP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407338 - ET RBN Known Russian Business Network IP TCP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407339 - ET RBN Known Russian Business Network IP UDP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407340 - ET RBN Known Russian Business Network IP TCP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407341 - ET RBN Known Russian Business Network IP UDP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407342 - ET RBN Known Russian Business Network IP TCP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407343 - ET RBN Known Russian Business Network IP UDP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407344 - ET RBN Known Russian Business Network IP TCP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407345 - ET RBN Known Russian Business Network IP UDP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407346 - ET RBN Known Russian Business Network IP TCP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407347 - ET RBN Known Russian Business Network IP UDP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407348 - ET RBN Known Russian Business Network IP TCP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407349 - ET RBN Known Russian Business Network IP UDP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407350 - ET RBN Known Russian Business Network IP TCP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407351 - ET RBN Known Russian Business Network IP UDP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407352 - ET RBN Known Russian Business Network IP TCP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407353 - ET RBN Known Russian Business Network IP UDP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407354 - ET RBN Known Russian Business Network IP TCP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407355 - ET RBN Known Russian Business Network IP UDP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407356 - ET RBN Known Russian Business Network IP TCP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407357 - ET RBN Known Russian Business Network IP UDP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407358 - ET RBN Known Russian Business Network IP TCP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407359 - ET RBN Known Russian Business Network IP UDP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407360 - ET RBN Known Russian Business Network IP TCP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407361 - ET RBN Known Russian Business Network IP UDP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407362 - ET RBN Known Russian Business Network IP TCP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407363 - ET RBN Known Russian Business Network IP UDP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407364 - ET RBN Known Russian Business Network IP TCP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407365 - ET RBN Known Russian Business Network IP UDP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407366 - ET RBN Known Russian Business Network IP TCP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407367 - ET RBN Known Russian Business Network IP UDP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407368 - ET RBN Known Russian Business Network IP TCP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407369 - ET RBN Known Russian Business Network IP UDP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407370 - ET RBN Known Russian Business Network IP TCP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407371 - ET RBN Known Russian Business Network IP UDP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407372 - ET RBN Known Russian Business Network IP TCP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407373 - ET RBN Known Russian Business Network IP UDP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407374 - ET RBN Known Russian Business Network IP TCP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407375 - ET RBN Known Russian Business Network IP UDP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407376 - ET RBN Known Russian Business Network IP TCP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407377 - ET RBN Known Russian Business Network IP UDP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407378 - ET RBN Known Russian Business Network IP TCP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407379 - ET RBN Known Russian Business Network IP UDP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407380 - ET RBN Known Russian Business Network IP TCP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407381 - ET RBN Known Russian Business Network IP UDP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407382 - ET RBN Known Russian Business Network IP TCP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407383 - ET RBN Known Russian Business Network IP UDP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407384 - ET RBN Known Russian Business Network IP TCP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407385 - ET RBN Known Russian Business Network IP UDP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407386 - ET RBN Known Russian Business Network IP TCP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407387 - ET RBN Known Russian Business Network IP UDP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407388 - ET RBN Known Russian Business Network IP TCP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407389 - ET RBN Known Russian Business Network IP UDP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407390 - ET RBN Known Russian Business Network IP TCP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407391 - ET RBN Known Russian Business Network IP UDP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407392 - ET RBN Known Russian Business Network IP TCP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407393 - ET RBN Known Russian Business Network IP UDP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407394 - ET RBN Known Russian Business Network IP TCP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407395 - ET RBN Known Russian Business Network IP UDP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407396 - ET RBN Known Russian Business Network IP TCP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407397 - ET RBN Known Russian Business Network IP UDP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407398 - ET RBN Known Russian Business Network IP TCP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407399 - ET RBN Known Russian Business Network IP UDP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407400 - ET RBN Known Russian Business Network IP TCP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407401 - ET RBN Known Russian Business Network IP UDP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407402 - ET RBN Known Russian Business Network IP TCP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407403 - ET RBN Known Russian Business Network IP UDP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407404 - ET RBN Known Russian Business Network IP TCP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407405 - ET RBN Known Russian Business Network IP UDP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407406 - ET RBN Known Russian Business Network IP TCP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407407 - ET RBN Known Russian Business Network IP UDP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407408 - ET RBN Known Russian Business Network IP TCP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407409 - ET RBN Known Russian Business Network IP UDP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407410 - ET RBN Known Russian Business Network IP TCP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407411 - ET RBN Known Russian Business Network IP UDP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407412 - ET RBN Known Russian Business Network IP TCP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407413 - ET RBN Known Russian Business Network IP UDP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407414 - ET RBN Known Russian Business Network IP TCP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407415 - ET RBN Known Russian Business Network IP UDP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407416 - ET RBN Known Russian Business Network IP TCP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407417 - ET RBN Known Russian Business Network IP UDP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407418 - ET RBN Known Russian Business Network IP TCP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407419 - ET RBN Known Russian Business Network IP UDP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407420 - ET RBN Known Russian Business Network IP TCP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407421 - ET RBN Known Russian Business Network IP UDP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407422 - ET RBN Known Russian Business Network IP TCP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407423 - ET RBN Known Russian Business Network IP UDP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407424 - ET RBN Known Russian Business Network IP TCP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407425 - ET RBN Known Russian Business Network IP UDP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407426 - ET RBN Known Russian Business Network IP TCP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407427 - ET RBN Known Russian Business Network IP UDP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407428 - ET RBN Known Russian Business Network IP TCP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407429 - ET RBN Known Russian Business Network IP UDP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407430 - ET RBN Known Russian Business Network IP TCP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407431 - ET RBN Known Russian Business Network IP UDP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407432 - ET RBN Known Russian Business Network IP TCP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407433 - ET RBN Known Russian Business Network IP UDP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407434 - ET RBN Known Russian Business Network IP TCP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407435 - ET RBN Known Russian Business Network IP UDP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407436 - ET RBN Known Russian Business Network IP TCP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407437 - ET RBN Known Russian Business Network IP UDP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407438 - ET RBN Known Russian Business Network IP TCP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407439 - ET RBN Known Russian Business Network IP UDP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407440 - ET RBN Known Russian Business Network IP TCP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407441 - ET RBN Known Russian Business Network IP UDP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407442 - ET RBN Known Russian Business Network IP TCP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407443 - ET RBN Known Russian Business Network IP UDP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407444 - ET RBN Known Russian Business Network IP TCP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407445 - ET RBN Known Russian Business Network IP UDP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407446 - ET RBN Known Russian Business Network IP TCP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407447 - ET RBN Known Russian Business Network IP UDP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407448 - ET RBN Known Russian Business Network IP TCP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407449 - ET RBN Known Russian Business Network IP UDP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407450 - ET RBN Known Russian Business Network IP TCP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407451 - ET RBN Known Russian Business Network IP UDP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407452 - ET RBN Known Russian Business Network IP TCP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407453 - ET RBN Known Russian Business Network IP UDP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407454 - ET RBN Known Russian Business Network IP TCP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407455 - ET RBN Known Russian Business Network IP UDP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407456 - ET RBN Known Russian Business Network IP TCP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407457 - ET RBN Known Russian Business Network IP UDP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407458 - ET RBN Known Russian Business Network IP TCP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407459 - ET RBN Known Russian Business Network IP UDP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407460 - ET RBN Known Russian Business Network IP TCP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407461 - ET RBN Known Russian Business Network IP UDP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407462 - ET RBN Known Russian Business Network IP TCP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407463 - ET RBN Known Russian Business Network IP UDP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407464 - ET RBN Known Russian Business Network IP TCP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407465 - ET RBN Known Russian Business Network IP UDP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407466 - ET RBN Known Russian Business Network IP TCP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407467 - ET RBN Known Russian Business Network IP UDP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407468 - ET RBN Known Russian Business Network IP TCP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407469 - ET RBN Known Russian Business Network IP UDP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407470 - ET RBN Known Russian Business Network IP TCP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407471 - ET RBN Known Russian Business Network IP UDP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407472 - ET RBN Known Russian Business Network IP TCP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407473 - ET RBN Known Russian Business Network IP UDP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407474 - ET RBN Known Russian Business Network IP TCP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407475 - ET RBN Known Russian Business Network IP UDP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407476 - ET RBN Known Russian Business Network IP TCP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407477 - ET RBN Known Russian Business Network IP UDP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407478 - ET RBN Known Russian Business Network IP TCP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407479 - ET RBN Known Russian Business Network IP UDP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407480 - ET RBN Known Russian Business Network IP TCP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407481 - ET RBN Known Russian Business Network IP UDP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407482 - ET RBN Known Russian Business Network IP TCP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407483 - ET RBN Known Russian Business Network IP UDP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407484 - ET RBN Known Russian Business Network IP TCP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407485 - ET RBN Known Russian Business Network IP UDP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407486 - ET RBN Known Russian Business Network IP TCP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407487 - ET RBN Known Russian Business Network IP UDP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407488 - ET RBN Known Russian Business Network IP TCP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407489 - ET RBN Known Russian Business Network IP UDP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407490 - ET RBN Known Russian Business Network IP TCP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407491 - ET RBN Known Russian Business Network IP UDP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407492 - ET RBN Known Russian Business Network IP TCP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407493 - ET RBN Known Russian Business Network IP UDP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407494 - ET RBN Known Russian Business Network IP TCP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407495 - ET RBN Known Russian Business Network IP UDP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407496 - ET RBN Known Russian Business Network IP TCP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407497 - ET RBN Known Russian Business Network IP UDP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407498 - ET RBN Known Russian Business Network IP TCP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407499 - ET RBN Known Russian Business Network IP UDP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407500 - ET RBN Known Russian Business Network IP TCP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407501 - ET RBN Known Russian Business Network IP UDP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407502 - ET RBN Known Russian Business Network IP TCP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407503 - ET RBN Known Russian Business Network IP UDP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407504 - ET RBN Known Russian Business Network IP TCP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407505 - ET RBN Known Russian Business Network IP UDP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407506 - ET RBN Known Russian Business Network IP TCP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407507 - ET RBN Known Russian Business Network IP UDP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407508 - ET RBN Known Russian Business Network IP TCP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407509 - ET RBN Known Russian Business Network IP UDP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407510 - ET RBN Known Russian Business Network IP TCP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407511 - ET RBN Known Russian Business Network IP UDP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407512 - ET RBN Known Russian Business Network IP TCP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407513 - ET RBN Known Russian Business Network IP UDP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407514 - ET RBN Known Russian Business Network IP TCP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407515 - ET RBN Known Russian Business Network IP UDP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407516 - ET RBN Known Russian Business Network IP TCP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407517 - ET RBN Known Russian Business Network IP UDP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407518 - ET RBN Known Russian Business Network IP TCP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407519 - ET RBN Known Russian Business Network IP UDP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407520 - ET RBN Known Russian Business Network IP TCP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407521 - ET RBN Known Russian Business Network IP UDP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407522 - ET RBN Known Russian Business Network IP TCP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407523 - ET RBN Known Russian Business Network IP UDP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407524 - ET RBN Known Russian Business Network IP TCP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407525 - ET RBN Known Russian Business Network IP UDP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407526 - ET RBN Known Russian Business Network IP TCP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407527 - ET RBN Known Russian Business Network IP UDP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407528 - ET RBN Known Russian Business Network IP TCP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407529 - ET RBN Known Russian Business Network IP UDP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407530 - ET RBN Known Russian Business Network IP TCP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407531 - ET RBN Known Russian Business Network IP UDP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407532 - ET RBN Known Russian Business Network IP TCP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407533 - ET RBN Known Russian Business Network IP UDP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407534 - ET RBN Known Russian Business Network IP TCP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407535 - ET RBN Known Russian Business Network IP UDP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407536 - ET RBN Known Russian Business Network IP TCP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407537 - ET RBN Known Russian Business Network IP UDP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407538 - ET RBN Known Russian Business Network IP TCP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407539 - ET RBN Known Russian Business Network IP UDP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407540 - ET RBN Known Russian Business Network IP TCP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407541 - ET RBN Known Russian Business Network IP UDP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407542 - ET RBN Known Russian Business Network IP TCP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407543 - ET RBN Known Russian Business Network IP UDP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407544 - ET RBN Known Russian Business Network IP TCP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407545 - ET RBN Known Russian Business Network IP UDP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407546 - ET RBN Known Russian Business Network IP TCP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407547 - ET RBN Known Russian Business Network IP UDP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407548 - ET RBN Known Russian Business Network IP TCP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407549 - ET RBN Known Russian Business Network IP UDP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407550 - ET RBN Known Russian Business Network IP TCP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407551 - ET RBN Known Russian Business Network IP UDP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407552 - ET RBN Known Russian Business Network IP TCP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407553 - ET RBN Known Russian Business Network IP UDP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407554 - ET RBN Known Russian Business Network IP TCP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407555 - ET RBN Known Russian Business Network IP UDP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407556 - ET RBN Known Russian Business Network IP TCP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407557 - ET RBN Known Russian Business Network IP UDP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407558 - ET RBN Known Russian Business Network IP TCP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407559 - ET RBN Known Russian Business Network IP UDP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407560 - ET RBN Known Russian Business Network IP TCP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407561 - ET RBN Known Russian Business Network IP UDP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407562 - ET RBN Known Russian Business Network IP TCP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407563 - ET RBN Known Russian Business Network IP UDP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407564 - ET RBN Known Russian Business Network IP TCP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407565 - ET RBN Known Russian Business Network IP UDP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407566 - ET RBN Known Russian Business Network IP TCP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407567 - ET RBN Known Russian Business Network IP UDP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407568 - ET RBN Known Russian Business Network IP TCP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407569 - ET RBN Known Russian Business Network IP UDP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407570 - ET RBN Known Russian Business Network IP TCP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407571 - ET RBN Known Russian Business Network IP UDP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407572 - ET RBN Known Russian Business Network IP TCP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407573 - ET RBN Known Russian Business Network IP UDP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407574 - ET RBN Known Russian Business Network IP TCP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407575 - ET RBN Known Russian Business Network IP UDP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407576 - ET RBN Known Russian Business Network IP TCP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407577 - ET RBN Known Russian Business Network IP UDP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407578 - ET RBN Known Russian Business Network IP TCP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407579 - ET RBN Known Russian Business Network IP UDP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407580 - ET RBN Known Russian Business Network IP TCP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407581 - ET RBN Known Russian Business Network IP UDP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407582 - ET RBN Known Russian Business Network IP TCP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407583 - ET RBN Known Russian Business Network IP UDP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407584 - ET RBN Known Russian Business Network IP TCP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407585 - ET RBN Known Russian Business Network IP UDP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407586 - ET RBN Known Russian Business Network IP TCP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407587 - ET RBN Known Russian Business Network IP UDP - BLOCKING (294) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #by Kevin Ross, temporary, based on a specific exploit if generated in hping -> Added to emerging-rbn-BLOCK.rules (3): # Copyright (c) 2003-2010, Emerging Threats # VERSION 163 # Updated 2010-01-05 07:48:26 -> Added to emerging-rbn.rules (3): # Copyright (c) 2003-2010, Emerging Threats # VERSION 163 # Updated 2010-01-05 07:48:26 -> Added to emerging-sid-msg.map (39): 2008417 || ET SCAN Wapiti Web Server Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Wapiti || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net/ 2010622 || ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco || url,doc.emergingthreats.net/2010622 || url,www.securityfocus.com/bid/34454/info 2010623 || ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco || url,doc.emergingthreats.net/2010623 || url,articles.techrepublic.com.com/5100-10878_11-6039967.html 2010624 || ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco || url,doc.emergingthreats.net/2010624 || cve,2009-1157 || url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html || url,www.securityfocus.com/bid/34429/exploit || url,www.securityfocus.com/bid/34429/info 2010625 || ET TROJAN FakeAV Landing Page (aid,sid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010625 || url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (39): 2008417 || ET SCAN Wapiti Web Server Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Wapiti || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net/ 2010622 || ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco || url,doc.emergingthreats.net/2010622 || url,www.securityfocus.com/bid/34454/info 2010623 || ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco || url,doc.emergingthreats.net/2010623 || url,articles.techrepublic.com.com/5100-10878_11-6039967.html 2010624 || ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco || url,doc.emergingthreats.net/2010624 || cve,2009-1157 || url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html || url,www.securityfocus.com/bid/34429/exploit || url,www.securityfocus.com/bid/34429/info 2010625 || ET TROJAN FakeAV Landing Page (aid,sid) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010625 || url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org 2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 162 # Updated 2009-12-20 12:07:11 -> Removed from emerging-rbn.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 162 # Updated 2009-12-20 12:07:11 -> Removed from emerging-sid-msg.map (1): 2008417 || ET SCAN Wapiti Web Server Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Wapiti || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net -> Removed from emerging-sid-msg.map.txt (1): 2008417 || ET SCAN Wapiti Web Server Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Wapiti || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net From jonkman at jonkmans.com Tue Jan 5 16:14:24 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Jan 2010 16:14:24 -0500 Subject: [Emerging-Sigs] ET EXPLOIT IE IFRAME Exploit -- SID 2001401 In-Reply-To: <6116b9e21001051143u223d20a7id3798b2373bba100@mail.gmail.com> References: <6116b9e21001051143u223d20a7id3798b2373bba100@mail.gmail.com> Message-ID: <4B43ABB0.7040003@jonkmans.com> Ohhh, that's embarrassing. I wrote that sig. :) It is ancient. We could split it up into better rules, but I think the threat is really passed or better handled by others. If no objection I'll drop it. Matt On 1/5/10 2:43 PM, Mike Cox wrote: > Concerning "ET EXPLOIT IE IFRAME Exploit" -- SID 2001401 rule in > emerging-exploit.rules -- I seeing this rule eat a lot of CPU cycles and > thought maybe we cold improve it or retire it (it is from 2004). Here > it is currently: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT > IE IFRAME Exploit"; flow: from_server,established; > pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; > pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; > classtype: misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2001401 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities > ; > sid: 2001401; rev:16;) > > Since it is just PCRE matches, it is obvious why it performs poorly. > Would it be worthwhile to split it up (EMBED, FRAME, SRC) and use > modifiers like 'isdataat'? > > -Mike Cox > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mike.cox52 at gmail.com Tue Jan 5 16:20:01 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Tue, 5 Jan 2010 15:20:01 -0600 Subject: [Emerging-Sigs] ET EXPLOIT Stealth attempt to execute VBScript/Javascript code - SIDs 2001102 2001101 Message-ID: <6116b9e21001051320o58ecef2eld6c0951ca3ee833a@mail.gmail.com> SIDs 2001102 and 2001101 in emerging-exploit.rules are also eating clock cycles. Here is 2001102 currently: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001102; rev:9;) Would putting the content matches before the PCRE help or is snort smart enough to match/not match them first? Since this just looks for an obfuscated "vbscript" or "javascript" call, are they worth keeping? This afternoon I've seen a few hundred thousands checks against this rule on one sensor but no matches. A search of the last few weeks shows that these rules have not tripped. -Mike Cox -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/89de3479/attachment.html From wkitty42 at windstream.net Tue Jan 5 16:27:54 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 05 Jan 2010 16:27:54 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262700894.26549.6.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> Message-ID: <4B43AEDA.7090105@windstream.net> Frank Knobbe wrote: > On Tue, 2010-01-05 at 10:20 +0100, mex wrote: >> the parser takes the latest 300 IPs (that **SHALL* contain >> roughly the blocked IPs from that last 30 days, as recommended >> on the website) > > Why would you want to "detect" something that is already known? to keep your firewall's iptables as lean, mean and fast as it can be? ;) > (Likewise, I don't like the other IP-based EmergingThreats sigs, it's > not just your idea I have a problem with) > >> next step is to integrate fwsam (not yet tested) to build a DROP-ruleset. > > There is no need to involve Snort. If you have a list of hostile IP > addresses, block them on your firewall. No sense in also involving > Snort, or getting alerts on IP's you expect to get alerts from. i used to work with the lists to block huge Chinese, Korean and Taiwanese IP blocks but my firewalls were over burdened with all the iptables rules... yes, these were CIDR blocks and not individual addresses... at some point, i realized that not all of those addresses would be hitting my networks... *possibly* only some of them might... with fwsam and other tools that monitor the snort alert logs, it was quite easy to block those unwanted IPs when and if they hit... i believe i currently maintain a block of 7 days for these but would have to check... if they don't hit subsequent times within 7 days, the block is removed and my iptables rules are slimmer and faster... if they do keep on hitting, they'll stay blocked until they stop for 7 days... it is all about working with the resources at hand and when one has an IP list of some 80000+ rules to feed into iptables, that's a huge list for iptables to wade thru for each and every inbound access... needless to say, i don't worry about digging out the Chinese, Korean, and Taiwanese IP blocks any more... nor do i worry about RBN address blocks since you guys build those lists... snort sounds an alert and my tool immediately reacts and issues the block... done deal :P > We got tons more SSH scanning IP's in our database. Would you like these > too? You can create a couple thousand SSH rules if you like. Maybe then > it will become apparent that it is useless of alerting on IP's you know > will likely attack you. Just block'em and be done with it :) i've been wanting to dig out the necessary information to build a "brute force ssh logon" rule much like the existing ones for ftp... i've been watching the progress being made on this and have been hoping that someone can do this... my current method looks to the server response telling the client it failed and tracks it with a threshold over time... my tool, when it sees this particular alert, then flips the source and destination IPs so as to block the perpetrator since the source is the server making the response... this has been quite effective for the brute force ftp attempts and they have basically just stopped as far as my ftp logs show ;) From mail at mare-system.de Tue Jan 5 17:20:42 2010 From: mail at mare-system.de (mex) Date: Tue, 05 Jan 2010 23:20:42 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B43AEDA.7090105@windstream.net> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> Message-ID: <4B43BB3A.7050203@mare-system.de> how do you do it / whats the sig for it? mex > i've been wanting to dig out the necessary information to build a "brute force > ssh logon" rule much like the existing ones for ftp... i've been watching the > progress being made on this and have been hoping that someone can do this... my > current method looks to the server response telling the client it failed and > tracks it with a threshold over time... my tool, when it sees this particular > alert, then flips the source and destination IPs so as to block the perpetrator > since the source is the server making the response... this has been quite > effective for the brute force ftp attempts and they have basically just stopped > as far as my ftp logs show ;) From inurbitz at yahoo.com Tue Jan 5 17:40:38 2010 From: inurbitz at yahoo.com (Packet Hack) Date: Tue, 5 Jan 2010 14:40:38 -0800 (PST) Subject: [Emerging-Sigs] More FakeAV sigs In-Reply-To: <4B42572E.8070700@packetmail.net> References: <256986.67758.qm@web113718.mail.gq1.yahoo.com> <4B421C55.6040400@packetmail.net> <375968.28089.qm@web113703.mail.gq1.yahoo.com> <4B424128.3030902@packetmail.net> <101642.93073.qm@web113704.mail.gq1.yahoo.com> <4B42572E.8070700@packetmail.net> Message-ID: <155301.94117.qm@web113714.mail.gq1.yahoo.com> Anyone else have any opinions? I'm fine with either, and I defer to those with more experience than me :-) --pkthck ________________________________ From: "evilghost at packetmail.net" To: Packet Hack ; "emerging-sigs at emergingthreats.net" Sent: Mon, January 4, 2010 4:01:34 PM Subject: Re: [Emerging-Sigs] More FakeAV sigs In my experience, I've seen fair amounts of consistency surrounding cast types and URI structures. With the same token I believe they would just as easily adjust the PHP file names/etc. That's my opinion but I'll defer to the collective wisdom of the list. I always prefer to be as precise as possible with regard to a variant versus the reduction of usefulness of a signature due to false positive potential. I'm good with whatever is decided upon, what we have here is collectively better than anything I've seen elsewhere including the AV snakeoil. - evilghost Packet Hack wrote: > I guess that's the thing -- there's no guarantee that the data after code= will always be integers, > and if they decide to change their code types we'd end up with false negatives. > > Looks like I forgot to cc: the list on my last reply -- do you mind if I send it to the list? > > Jim > > > > > ________________________________ > From: "evilghost at packetmail.net" > To: Packet Hack > Sent: Mon, January 4, 2010 2:27:36 PM > Subject: Re: [Emerging-Sigs] More FakeAV sigs > > I meant anchoring the integers at the end of the URI. The sigs you > wrote are very good but I tend to like to anchor cast (ie, all integers) > to avoid false positives. For example, "loads.php?code=newpage" won't > match the PCRE but does match the URI content match. > "loads.php?code=12345" would match the PCRE since the content is of type > integer. Make sense? The PCRE won't fire unless the uricontent match > succeeds. > > These are good sigs even without the PCRE, I just like to be precise as > possible and as reasonable to avoid false positives. The list may feel > differently and not like the PCRE. > > -evilghost > > Packet Hack wrote: > >> Not sure what you mean by match against cast. I'm kinda new to writing sigs, >> so I'm not sure what the pros are for adding the pcre. I imagine one minus is >> a performance hit, but there may be others. >> >> When I'm thinking about these I try to keep in mind the things that might change >> over time and leave them out if possible, otherwise I'd also be adding the hostnames >> for these sigs. >> >> What do you think? >> --pkthck >> >> >> >> >> ________________________________ >> From: "evilghost at packetmail.net" >> Cc: "emerging-sigs at emergingthreats.net" >> Sent: Mon, January 4, 2010 11:50:29 AM >> Subject: Re: [Emerging-Sigs] More FakeAV sigs >> >> Thanks for these. Thoughts on adding a PCRE to match against cast? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; pcre:"/loads\.php\?code=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code="; nocase; pcre:"/download\.pl\?code=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; pcre:"/get\.pl\?l=\d+$/Ui"; >> classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >> >> -evilghost >> >> Packet Hack wrote: >> >> >>> Please double check, thanks. >>> >>> --pkthck >>> >>> -------------------------------- >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Download"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"dfghfghgfj.dll"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; sid:2010xxx; rev:1;) >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> >> >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/d66e4082/attachment-0001.html From frank at knobbe.us Tue Jan 5 18:23:43 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 05 Jan 2010 17:23:43 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B43AEDA.7090105@windstream.net> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> Message-ID: <1262733823.26549.83.camel@localhost> On Tue, 2010-01-05 at 16:27 -0500, waldo kitty wrote: > i've been wanting to dig out the necessary information to build a "brute force > ssh logon" rule much like the existing ones for ftp... We got SSH brute force rules! That was my point. Why not just those and block as they occur? Then you don't need a list! And if you want the list, then just block it instead of turning it into rules that do the same thing as the SSH brute force rule. That's why I can't wrap my head about the intention of creating rules from a list here :) 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! 2001219: SCAN Potential SSH Scan Also got a couple private ones, but the above from ET work nicely on SSH brute forces, especially together with Snortsam. Adjust thresholds as desired. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/e7ab3452/attachment.bin From frank at knobbe.us Tue Jan 5 18:34:09 2010 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 05 Jan 2010 17:34:09 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262733823.26549.83.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> Message-ID: <1262734449.26549.90.camel@localhost> oops, wrong SID. 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool 2006546: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! 2001219: SCAN Potential SSH Scan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/55593d1a/attachment.bin From mail at mare-system.de Tue Jan 5 18:59:37 2010 From: mail at mare-system.de (mex) Date: Wed, 06 Jan 2010 00:59:37 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B430460.3040302@mare-system.de> References: <4B430460.3040302@mare-system.de> Message-ID: <4B43D269.6060300@mare-system.de> for those who are interested: http://dogtown.mare-system.de/sshblacklist-signatures mex wrote: > i played with the sshbl-list from http://www.sshbl.org > and wrote a parser that creates snortsigs out of that; > the result (updated every 12 hours) is available at > http://dogtown.mare-system.de/download/SSHBlacklist-DROP.rules > > the parser takes the latest 300 IPs (that **SHALL* contain > roughly the blocked IPs from that last 30 days, as recommended > on the website) > From mail at mare-system.de Tue Jan 5 19:05:04 2010 From: mail at mare-system.de (mex) Date: Wed, 06 Jan 2010 01:05:04 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262713414.26549.44.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B4378B9.2060808@mare-system.de> <1262713414.26549.44.camel@localhost> Message-ID: <4B43D3B0.9090306@mare-system.de> hi frank, i understand your point; waldo made some good statements i agree with. i'll check the sigs you mentioned against denyhost-logs, maybe it's worth a try. > You can use samtool to feed a list into your firewall (just like Snort > would do) and block for a period of time (Snortsam will expire the > blocks for you, keeping the firewall clean). i have no experince with samtool right now, but i'll give it a look > > I still don't see the use for having a list of *known hostile IP's* in > Snort so that you can get alerts on them. If they do something nasty > (say, SSH scan) you will get alerts regardless of the IP rule! these IPs are not **known** hostile for me, since i don't know how they took their seat on that sshbl.org-list; maybe a wrong configured script or tool puts a wrong ip on that list; as long as this ip doesn't start ssh-connections it is not hostile for me in any way. regards, mex From wkitty42 at windstream.net Tue Jan 5 19:27:16 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Tue, 05 Jan 2010 19:27:16 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262733823.26549.83.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> Message-ID: <4B43D8E4.9010101@windstream.net> Frank Knobbe wrote: > On Tue, 2010-01-05 at 16:27 -0500, waldo kitty wrote: >> i've been wanting to dig out the necessary information to build a "brute force >> ssh logon" rule much like the existing ones for ftp... > > We got SSH brute force rules! That was my point. Why not just those and > block as they occur? Then you don't need a list! i was not aware of the ssh brute force rules... evidently i'm not getting hit by these types of attacks as they are not being tripped on my sensors... my tool does block as snort detects stuff that causes it to alert so if these happen, my networks should be safe from them... > And if you want the list, then just block it instead of turning it into > rules that do the same thing as the SSH brute force rule. right... and i understand as well... however, the firewalls i work with are mainly older PII/PIII era boxes with 256M/512M RAM... yes, pretty limited but still supported and used all over the place in hundreds of thousands of soho firewall boxes... like i said in my post, the idea, like with the RBN rules, is to keep iptables as lean and fast as possible... deity knows the problems we saw when using blocking lists of 80000+ rules and how slow iptables got with all of them in place ;) > That's why I can't wrap my head about the intention of creating rules > from a list here :) well, with the ssh brute force rules in place, i don't know that i see a need for these rules, either... but others have their own needs and desires much like many that i/we assist daily who want to block all of china, korea, taiwan, russia, south america and such... the shear number of rules is one thing... trying to maintain them is another :P > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce > Tool > 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce > Attack! > 2001219: SCAN Potential SSH Scan > > Also got a couple private ones, but the above from ET work nicely on SSH > brute forces, especially together with Snortsam. Adjust thresholds as > desired. thanks for listing those... i honestly hadn't gon e greping to see if there were any or not... i'll take a look at my setups and see if they are enabled... FWIW: the stuff we work with does not have a snortsam mod for it and i don't know that we can create one for the GUI interface we use... i've thought about looking deeper to see if we can use snortsam but time is a commodity that is in very short supply these days ;) From jesler at sourcefire.com Tue Jan 5 20:05:37 2010 From: jesler at sourcefire.com (Joel Esler) Date: Tue, 5 Jan 2010 20:05:37 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B43D8E4.9010101@windstream.net> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <4B43D8E4.9010101@windstream.net> Message-ID: <314cf0831001051705v53dbcd77k49fadbcc5cd08d12@mail.gmail.com> What about a tool/service like Threatstop http://www.threatstop.com/ How it works: http://www.threatstop.com/component/option,com_easyfaq/task,cat/catid,28/Itemid,35/ J On Tue, Jan 5, 2010 at 7:27 PM, waldo kitty wrote: > Frank Knobbe wrote: > > On Tue, 2010-01-05 at 16:27 -0500, waldo kitty wrote: > >> i've been wanting to dig out the necessary information to build a "brute > force > >> ssh logon" rule much like the existing ones for ftp... > > > > We got SSH brute force rules! That was my point. Why not just those and > > block as they occur? Then you don't need a list! > > i was not aware of the ssh brute force rules... evidently i'm not getting > hit by > these types of attacks as they are not being tripped on my sensors... > > my tool does block as snort detects stuff that causes it to alert so if > these > happen, my networks should be safe from them... > > > And if you want the list, then just block it instead of turning it into > > rules that do the same thing as the SSH brute force rule. > > right... and i understand as well... however, the firewalls i work with are > mainly older PII/PIII era boxes with 256M/512M RAM... yes, pretty limited > but > still supported and used all over the place in hundreds of thousands of > soho > firewall boxes... > > like i said in my post, the idea, like with the RBN rules, is to keep > iptables > as lean and fast as possible... deity knows the problems we saw when using > blocking lists of 80000+ rules and how slow iptables got with all of them > in > place ;) > > > That's why I can't wrap my head about the intention of creating rules > > from a list here :) > > well, with the ssh brute force rules in place, i don't know that i see a > need > for these rules, either... but others have their own needs and desires much > like > many that i/we assist daily who want to block all of china, korea, taiwan, > russia, south america and such... the shear number of rules is one thing... > trying to maintain them is another :P > > > > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce > > Tool > > 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce > > Attack! > > 2001219: SCAN Potential SSH Scan > > > > Also got a couple private ones, but the above from ET work nicely on SSH > > brute forces, especially together with Snortsam. Adjust thresholds as > > desired. > > thanks for listing those... i honestly hadn't gon e greping to see if there > were > any or not... i'll take a look at my setups and see if they are enabled... > > FWIW: the stuff we work with does not have a snortsam mod for it and i > don't > know that we can create one for the GUI interface we use... i've thought > about > looking deeper to see if we can use snortsam but time is a commodity that > is in > very short supply these days ;) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/4b01b4f8/attachment.html From evilghost at packetmail.net Tue Jan 5 21:09:48 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Tue, 5 Jan 2010 20:09:48 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <314cf0831001051705v53dbcd77k49fadbcc5cd08d12@mail.gmail.com> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <4B43D8E4.9010101@windstream.net> <314cf0831001051705v53dbcd77k49fadbcc5cd08d12@mail.gmail.com> Message-ID: <4B43F0EC.1040508@packetmail.net> eLulz (e == Epic) http://www.threatstop.com/content/view/31/51/ "We may combine the information you submit under your account with information from other DISS services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information." "*Affiliated sites* - We offer some of our services in connection with other Internet Security Services. Log information that you provide to DISS may be shared with these sites. We will notify you if such sharing is required. We process such information in accordance with this Policy. The affiliated sites may have different privacy practices and we encourage you to read their privacy policies." "We may share with third parties certain pieces of aggregated, non-personal information, such as the number of connection attempts from particular IP addresses, for example. Such information does not identify you individually." - Right Read the privacy policy in it's entity and there are "grey" issues. - Evil G. Host, IV PS - The site runs Joomla and EasyFAQ circa 2006 (seriously?) Joel Esler wrote: > What about a tool/service like Threatstop > http://www.threatstop.com/ > > How it works: > http://www.threatstop.com/component/option,com_easyfaq/task,cat/catid,28/Itemid,35/ > > J > > On Tue, Jan 5, 2010 at 7:27 PM, waldo kitty wrote: > > >> Frank Knobbe wrote: >> >>> On Tue, 2010-01-05 at 16:27 -0500, waldo kitty wrote: >>> >>>> i've been wanting to dig out the necessary information to build a "brute >>>> >> force >> >>>> ssh logon" rule much like the existing ones for ftp... >>>> >>> We got SSH brute force rules! That was my point. Why not just those and >>> block as they occur? Then you don't need a list! >>> >> i was not aware of the ssh brute force rules... evidently i'm not getting >> hit by >> these types of attacks as they are not being tripped on my sensors... >> >> my tool does block as snort detects stuff that causes it to alert so if >> these >> happen, my networks should be safe from them... >> >> >>> And if you want the list, then just block it instead of turning it into >>> rules that do the same thing as the SSH brute force rule. >>> >> right... and i understand as well... however, the firewalls i work with are >> mainly older PII/PIII era boxes with 256M/512M RAM... yes, pretty limited >> but >> still supported and used all over the place in hundreds of thousands of >> soho >> firewall boxes... >> >> like i said in my post, the idea, like with the RBN rules, is to keep >> iptables >> as lean and fast as possible... deity knows the problems we saw when using >> blocking lists of 80000+ rules and how slow iptables got with all of them >> in >> place ;) >> >> >>> That's why I can't wrap my head about the intention of creating rules >>> from a list here :) >>> >> well, with the ssh brute force rules in place, i don't know that i see a >> need >> for these rules, either... but others have their own needs and desires much >> like >> many that i/we assist daily who want to block all of china, korea, taiwan, >> russia, south america and such... the shear number of rules is one thing... >> trying to maintain them is another :P >> >> >>> 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce >>> Tool >>> 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce >>> Attack! >>> 2001219: SCAN Potential SSH Scan >>> >>> Also got a couple private ones, but the above from ET work nicely on SSH >>> brute forces, especially together with Snortsam. Adjust thresholds as >>> desired. >>> >> thanks for listing those... i honestly hadn't gon e greping to see if there >> were >> any or not... i'll take a look at my setups and see if they are enabled... >> >> FWIW: the stuff we work with does not have a snortsam mod for it and i >> don't >> know that we can create one for the GUI interface we use... i've thought >> about >> looking deeper to see if we can use snortsam but time is a commodity that >> is in >> very short supply these days ;) >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From jesler at sourcefire.com Tue Jan 5 22:59:41 2010 From: jesler at sourcefire.com (Joel Esler) Date: Tue, 5 Jan 2010 22:59:41 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B43F0EC.1040508@packetmail.net> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <4B43D8E4.9010101@windstream.net> <314cf0831001051705v53dbcd77k49fadbcc5cd08d12@mail.gmail.com> <4B43F0EC.1040508@packetmail.net> Message-ID: <314cf0831001051959q4054a490x7bca2ffea2ee1731@mail.gmail.com> I think that's opt in. (sending your information out) Or at least it used to be. J On Tue, Jan 5, 2010 at 9:09 PM, evilghost at packetmail.net < evilghost at packetmail.net> wrote: > eLulz (e == Epic) > > http://www.threatstop.com/content/view/31/51/ > > "We may combine the information you submit under your account with > information from other DISS services or third parties in order to > provide you with a better experience and to improve the quality of our > services. For certain services, we may give you the opportunity to opt > out of combining such information." > > "*Affiliated sites* - We offer some of our services in connection with > other Internet Security Services. Log information that you provide to > DISS may be shared with these sites. We will notify you if such sharing > is required. We process such information in accordance with this Policy. > The affiliated sites may have different privacy practices and we > encourage you to read their privacy policies." > > "We may share with third parties certain pieces of aggregated, > non-personal information, such as the number of connection attempts from > particular IP addresses, for example. Such information does not identify > you individually." - Right > > Read the privacy policy in it's entity and there are "grey" issues. > > - Evil G. Host, IV > > PS - The site runs Joomla and EasyFAQ circa 2006 (seriously?) > > > Joel Esler wrote: > > What about a tool/service like Threatstop > > http://www.threatstop.com/ > > > > How it works: > > > http://www.threatstop.com/component/option,com_easyfaq/task,cat/catid,28/Itemid,35/ > > > > J > > > > On Tue, Jan 5, 2010 at 7:27 PM, waldo kitty > wrote: > > > > > >> Frank Knobbe wrote: > >> > >>> On Tue, 2010-01-05 at 16:27 -0500, waldo kitty wrote: > >>> > >>>> i've been wanting to dig out the necessary information to build a > "brute > >>>> > >> force > >> > >>>> ssh logon" rule much like the existing ones for ftp... > >>>> > >>> We got SSH brute force rules! That was my point. Why not just those and > >>> block as they occur? Then you don't need a list! > >>> > >> i was not aware of the ssh brute force rules... evidently i'm not > getting > >> hit by > >> these types of attacks as they are not being tripped on my sensors... > >> > >> my tool does block as snort detects stuff that causes it to alert so if > >> these > >> happen, my networks should be safe from them... > >> > >> > >>> And if you want the list, then just block it instead of turning it into > >>> rules that do the same thing as the SSH brute force rule. > >>> > >> right... and i understand as well... however, the firewalls i work with > are > >> mainly older PII/PIII era boxes with 256M/512M RAM... yes, pretty > limited > >> but > >> still supported and used all over the place in hundreds of thousands of > >> soho > >> firewall boxes... > >> > >> like i said in my post, the idea, like with the RBN rules, is to keep > >> iptables > >> as lean and fast as possible... deity knows the problems we saw when > using > >> blocking lists of 80000+ rules and how slow iptables got with all of > them > >> in > >> place ;) > >> > >> > >>> That's why I can't wrap my head about the intention of creating rules > >>> from a list here :) > >>> > >> well, with the ssh brute force rules in place, i don't know that i see a > >> need > >> for these rules, either... but others have their own needs and desires > much > >> like > >> many that i/we assist daily who want to block all of china, korea, > taiwan, > >> russia, south america and such... the shear number of rules is one > thing... > >> trying to maintain them is another :P > >> > >> > >>> 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce > >>> Tool > >>> 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce > >>> Attack! > >>> 2001219: SCAN Potential SSH Scan > >>> > >>> Also got a couple private ones, but the above from ET work nicely on > SSH > >>> brute forces, especially together with Snortsam. Adjust thresholds as > >>> desired. > >>> > >> thanks for listing those... i honestly hadn't gon e greping to see if > there > >> were > >> any or not... i'll take a look at my setups and see if they are > enabled... > >> > >> FWIW: the stuff we work with does not have a snortsam mod for it and i > >> don't > >> know that we can create one for the GUI interface we use... i've thought > >> about > >> looking deeper to see if we can use snortsam but time is a commodity > that > >> is in > >> very short supply these days ;) > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100105/52acfa44/attachment.html From kevross33 at googlemail.com Wed Jan 6 08:00:49 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 6 Jan 2010 13:00:49 +0000 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) Message-ID: Hey, here are two rules which could possibly be disabled, modified or removed for performance. See comments (-). Kev - Possibly disable by default or retire for performance as it is just PCRE with no content matches. I don't really know how old the vulnerability is though. Also; based on reading the reference perhaps it may be possible to write new rules http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. Content matches could possibly added by doing checks for GET CWD and PUT then that a %20 character also exists before the PCRE. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability (1)"; flow: to_server,established; pcre:"/\\[\.]+%20/Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001211; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability (2)"; flow: to_server,established; pcre:"/%20[\.]+\//Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001212; rev:9;) - Example Alternative rules with command and space check added after the expected space in the command, hence the distance:1;. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 1 (PUT)"; flow: to_server,established; content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; pcre:"/\\[\.]+%20/Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001211; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 2 (PUT)"; flow: to_server,established; content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; pcre:"/%20[\.]+\//Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001212; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 1 (GET)"; flow: to_server,established; content:"GET"; depth:3; content:"|20|"; distance:1; within:40; pcre:"/\\[\.]+%20/Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001211; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 2 (GET)"; flow: to_server,established; content:"GET"; depth:3; content:"|20|"; distance:1; within:40; pcre:"/%20[\.]+\//Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001212; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 1 (CWD)"; flow: to_server,established; content:"CWD"; depth:3; content:"|20|"; distance:1; within:30; pcre:"/\\[\.]+%20/Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001211; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U directory traversal vulnerability 2 (CWD)"; flow: to_server,established; content:"CWD"; depth:3; content:"|20|"; distance:1; within:40; pcre:"/%20[\.]+\//Bi"; reference:url, www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001212; rev:10;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/a2902ded/attachment.html From jesler at sourcefire.com Wed Jan 6 08:16:48 2010 From: jesler at sourcefire.com (Joel Esler) Date: Wed, 6 Jan 2010 08:16:48 -0500 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) In-Reply-To: References: Message-ID: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> Does anyone have pcaps for these? I have a sneaky suspicion that the FTP preprocessor should alert on these. J On Wed, Jan 6, 2010 at 8:00 AM, Kevin Ross wrote: > Hey, here are two rules which could possibly be disabled, modified or > removed for performance. See comments (-). Kev > > - Possibly disable by default or retire for performance as it is just PCRE > with no content matches. I don't really know how old the vulnerability is > though. Also; based on reading the reference perhaps it may be possible to > write new rules http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. > Content matches could possibly added by doing checks for GET CWD and PUT > then that a %20 character also exists before the PCRE. > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability (1)"; flow: to_server,established; > pcre:"/\\[\.]+%20/Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001211; rev:9;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability (2)"; flow: to_server,established; > pcre:"/%20[\.]+\//Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001212; rev:9;) > > - Example Alternative rules with command and space check added after the > expected space in the command, hence the distance:1;. > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 1 (PUT)"; flow: to_server,established; > content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; > pcre:"/\\[\.]+%20/Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 2 (PUT)"; flow: to_server,established; > content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001212; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 1 (GET)"; flow: to_server,established; > content:"GET"; depth:3; content:"|20|"; distance:1; within:40; > pcre:"/\\[\.]+%20/Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 2 (GET)"; flow: to_server,established; > content:"GET"; depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001212; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 1 (CWD)"; flow: to_server,established; > content:"CWD"; depth:3; content:"|20|"; distance:1; within:30; > pcre:"/\\[\.]+%20/Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001211; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > directory traversal vulnerability 2 (CWD)"; flow: to_server,established; > content:"CWD"; depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; reference:url, > www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001212; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001212; rev:10;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/f85dd0c3/attachment-0001.html From kevross33 at googlemail.com Wed Jan 6 08:58:51 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 6 Jan 2010 13:58:51 +0000 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) In-Reply-To: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> References: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> Message-ID: I think these two would also be detected by the FTP preprocessor also. Even if it isn't I am sure the LIST -l one pretty much just replicates the function of sid 2338 (FTP LIST buffer overflow attempt) with the addition of a -l alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow"; flow: to_server,established; content:"LIST -l\:"; nocase; isdataat: 134,relative; reference:url, www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001213; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001213; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; flow: to_server,established; content:"chmod"; nocase; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url, www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001215; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; sid: 2001215; rev:9;) 2010/1/6 Joel Esler > Does anyone have pcaps for these? I have a sneaky suspicion that the FTP > preprocessor should alert on these. > > J > > On Wed, Jan 6, 2010 at 8:00 AM, Kevin Ross wrote: > >> Hey, here are two rules which could possibly be disabled, modified or >> removed for performance. See comments (-). Kev >> >> - Possibly disable by default or retire for performance as it is just PCRE >> with no content matches. I don't really know how old the vulnerability is >> though. Also; based on reading the reference perhaps it may be possible to >> write new rules http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. >> Content matches could possibly added by doing checks for GET CWD and PUT >> then that a %20 character also exists before the PCRE. >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability (1)"; flow: to_server,established; >> pcre:"/\\[\.]+%20/Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001211; rev:9;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability (2)"; flow: to_server,established; >> pcre:"/%20[\.]+\//Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001212; rev:9;) >> >> - Example Alternative rules with command and space check added after the >> expected space in the command, hence the distance:1;. >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 1 (PUT)"; flow: to_server,established; >> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >> pcre:"/\\[\.]+%20/Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001211; rev:10;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 2 (PUT)"; flow: to_server,established; >> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >> pcre:"/%20[\.]+\//Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001212; rev:10;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 1 (GET)"; flow: to_server,established; >> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >> pcre:"/\\[\.]+%20/Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001211; rev:10;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 2 (GET)"; flow: to_server,established; >> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >> pcre:"/%20[\.]+\//Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001212; rev:10;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 1 (CWD)"; flow: to_server,established; >> content:"CWD"; depth:3; content:"|20|"; distance:1; within:30; >> pcre:"/\\[\.]+%20/Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001211; rev:10;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> directory traversal vulnerability 2 (CWD)"; flow: to_server,established; >> content:"CWD"; depth:3; content:"|20|"; distance:1; within:40; >> pcre:"/%20[\.]+\//Bi"; reference:url, >> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001212; rev:10;) >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > -- > Joel Esler > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/bb8c706b/attachment.html From jesler at sourcefire.com Wed Jan 6 09:01:44 2010 From: jesler at sourcefire.com (Joel Esler) Date: Wed, 6 Jan 2010 09:01:44 -0500 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) In-Reply-To: References: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> Message-ID: <314cf0831001060601n575cf97fo2cb5c9b3e8adda2@mail.gmail.com> General rule of thumb is, "don't duplicate signatures cause you can" So, I wouldn't add #1, as you said, it's already detected with 2338. 2338 can also detect much more. But yes, the preprocessor should catch that too. Preprocessor should catch the second one, yes. J On Wed, Jan 6, 2010 at 8:58 AM, Kevin Ross wrote: > I think these two would also be detected by the FTP preprocessor also. Even > if it isn't I am sure the LIST -l one pretty much just replicates the > function of sid 2338 (FTP LIST buffer overflow attempt) with the addition of > a -l > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U > LIST -l Parameter Buffer Overflow"; flow: to_server,established; > content:"LIST -l\:"; nocase; isdataat: 134,relative; reference:url, > www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001213; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001213; rev:8;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTP Serv-U > Server Long Filename Stack Overflow Vulnerability"; flow: > to_server,established; content:"chmod"; nocase; > pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url, > www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: > misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001215; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; > sid: 2001215; rev:9;) > > > 2010/1/6 Joel Esler > > Does anyone have pcaps for these? I have a sneaky suspicion that the FTP >> preprocessor should alert on these. >> >> J >> >> On Wed, Jan 6, 2010 at 8:00 AM, Kevin Ross wrote: >> >>> Hey, here are two rules which could possibly be disabled, modified or >>> removed for performance. See comments (-). Kev >>> >>> - Possibly disable by default or retire for performance as it is just >>> PCRE with no content matches. I don't really know how old the vulnerability >>> is though. Also; based on reading the reference perhaps it may be possible >>> to write new rules >>> http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. Content >>> matches could possibly added by doing checks for GET CWD and PUT then that a >>> %20 character also exists before the PCRE. >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability (1)"; flow: to_server,established; >>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001211; rev:9;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability (2)"; flow: to_server,established; >>> pcre:"/%20[\.]+\//Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001212; rev:9;) >>> >>> - Example Alternative rules with command and space check added after the >>> expected space in the command, hence the distance:1;. >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 1 (PUT)"; flow: to_server,established; >>> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001211; rev:10;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 2 (PUT)"; flow: to_server,established; >>> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >>> pcre:"/%20[\.]+\//Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001212; rev:10;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 1 (GET)"; flow: to_server,established; >>> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001211; rev:10;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 2 (GET)"; flow: to_server,established; >>> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >>> pcre:"/%20[\.]+\//Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001212; rev:10;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 1 (CWD)"; flow: to_server,established; >>> content:"CWD"; depth:3; content:"|20|"; distance:1; within:30; >>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001211; rev:10;) >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>> directory traversal vulnerability 2 (CWD)"; flow: to_server,established; >>> content:"CWD"; depth:3; content:"|20|"; distance:1; within:40; >>> pcre:"/%20[\.]+\//Bi"; reference:url, >>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>> misc-activity; reference:url, >>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>> sid: 2001212; rev:10;) >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> >> >> -- >> Joel Esler >> > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- Joel Esler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/860435ed/attachment-0001.html From kevross33 at googlemail.com Wed Jan 6 09:37:23 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 6 Jan 2010 14:37:23 +0000 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) In-Reply-To: <314cf0831001060601n575cf97fo2cb5c9b3e8adda2@mail.gmail.com> References: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> <314cf0831001060601n575cf97fo2cb5c9b3e8adda2@mail.gmail.com> Message-ID: Good then likely SIDs 2001210,2001211,2001212,2001213 and 2001215 can be removed from emerging-exploit I would reckon. 2010/1/6 Joel Esler > General rule of thumb is, "don't duplicate signatures cause you can" > > So, I wouldn't add #1, as you said, it's already detected with 2338. 2338 > can also detect much more. But yes, the preprocessor should catch that too. > > Preprocessor should catch the second one, yes. > > J > > > On Wed, Jan 6, 2010 at 8:58 AM, Kevin Ross wrote: > >> I think these two would also be detected by the FTP preprocessor also. >> Even if it isn't I am sure the LIST -l one pretty much just replicates the >> function of sid 2338 (FTP LIST buffer overflow attempt) with the addition of >> a -l >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >> LIST -l Parameter Buffer Overflow"; flow: to_server,established; >> content:"LIST -l\:"; nocase; isdataat: 134,relative; reference:url, >> www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001213; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001213; rev:8;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTP Serv-U >> Server Long Filename Stack Overflow Vulnerability"; flow: >> to_server,established; content:"chmod"; nocase; >> pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url, >> www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: >> misc-activity; reference:url, >> doc.emergingthreats.net/bin/view/Main/2001215; reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >> sid: 2001215; rev:9;) >> >> >> 2010/1/6 Joel Esler >> >> Does anyone have pcaps for these? I have a sneaky suspicion that the FTP >>> preprocessor should alert on these. >>> >>> J >>> >>> On Wed, Jan 6, 2010 at 8:00 AM, Kevin Ross wrote: >>> >>>> Hey, here are two rules which could possibly be disabled, modified or >>>> removed for performance. See comments (-). Kev >>>> >>>> - Possibly disable by default or retire for performance as it is just >>>> PCRE with no content matches. I don't really know how old the vulnerability >>>> is though. Also; based on reading the reference perhaps it may be possible >>>> to write new rules >>>> http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. Content >>>> matches could possibly added by doing checks for GET CWD and PUT then that a >>>> %20 character also exists before the PCRE. >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability (1)"; flow: to_server,established; >>>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001211; rev:9;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability (2)"; flow: to_server,established; >>>> pcre:"/%20[\.]+\//Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001212; rev:9;) >>>> >>>> - Example Alternative rules with command and space check added after the >>>> expected space in the command, hence the distance:1;. >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 1 (PUT)"; flow: to_server,established; >>>> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >>>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001211; rev:10;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 2 (PUT)"; flow: to_server,established; >>>> content:"PUT"; depth:3; content:"|20|"; distance:1; within:40; >>>> pcre:"/%20[\.]+\//Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001212; rev:10;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 1 (GET)"; flow: to_server,established; >>>> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >>>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001211; rev:10;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 2 (GET)"; flow: to_server,established; >>>> content:"GET"; depth:3; content:"|20|"; distance:1; within:40; >>>> pcre:"/%20[\.]+\//Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001212; rev:10;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 1 (CWD)"; flow: to_server,established; >>>> content:"CWD"; depth:3; content:"|20|"; distance:1; within:30; >>>> pcre:"/\\[\.]+%20/Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001211; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001211; rev:10;) >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP Serv-U >>>> directory traversal vulnerability 2 (CWD)"; flow: to_server,established; >>>> content:"CWD"; depth:3; content:"|20|"; distance:1; within:40; >>>> pcre:"/%20[\.]+\//Bi"; reference:url, >>>> www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: >>>> misc-activity; reference:url, >>>> doc.emergingthreats.net/bin/view/Main/2001212; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp; >>>> sid: 2001212; rev:10;) >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>> >>> >>> -- >>> Joel Esler >>> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > -- > Joel Esler > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/86eccb51/attachment.html From jonkman at jonkmans.com Wed Jan 6 10:00:43 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:00:43 -0500 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> Message-ID: <4B44A59B.1090808@jonkmans.com> On 1/4/10 11:01 PM, Rich Rumble wrote: > On Mon, Jan 4, 2010 at 4:52 PM, Kevin Ross wrote: >> Not so much for the competition but if we could go through the rulesets >> looking for errors, performance improvements or sigs to possibly disable or >> retire if they are not relevant anymore. > Hear, hear! I agree. We do need efforts to clean up old and obsoleted. Sidreporter is something toward that, so we can see if rules have hit recently. We're still looking for a larger sample size though. If you can please contribute! It's anonymous. > >> I am aware that some of my sigs in the emerging-scan category can be >> improved upon too as they were when I was first learning and that is >> something I will be getting around to. They work, just need improved for >> performance. > I have a question, how are we to balance snort sigs and suricata sigs? > I've not seen > anything to tell me the two are different, but I'd assume with > protocol detection > that perhaps we don't need to include port numbers in a suri sig where we still > do in a snort sig? We are so far just using the snort ruleset, but you're right we will have more capabilities (especially as we get more layer 7 protocols into the autodetection). Defined ports will become far less important (thankfully!). So we will have to diverge the rulesets. We'll do so at ET, have a stock snort ruleset as we do now, and a parallel ruleset for suricata enhanced rules. Same coverage though as is possible. Although it's likely that in the future we'll have more rules, or better coverage, in suricata because of the enhancements. I know it's brand new, but I've not seen a doc yet > on writing effective > suri rules, and perhaps that will come along in the next update. Yes, that's in the works. The syntax itself is still solidifying for the things that are beyond the snort language. But very soon, yes! > Will there be a need for separate lists for snort/suricata? I hope not. I think we can continue to discuss threats and the signatures will follow as always, just in 2 versions if there is a suricata enhancement that can be used. > Something I've always needed help with is how to write a better sig, and I think > there are some sig *stars* on the list that do great work and help > others whenever > possible, I wish there were more, I wish I were one of them :) I'll keep reading > SnortSigs101 and try to get myself in the running for the monthly sig contest. > (I think just I've made a new years resolution... even though I've > oximoronically > made it my new years resolution to not make new years resolutions... hmm) Excellent! Glad to have you here. i think this is a great place to learn about sigs. I get schooled at least once a week. :) Matt ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 6 10:02:13 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:02:13 -0500 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <69544301001040822o3853017xbbefc21effa0c676@mail.gmail.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> <69544301001040822o3853017xbbefc21effa0c676@mail.gmail.com> Message-ID: <4B44A5F5.1040200@jonkmans.com> So to continue the rules contest change discussion, I think we're at the point of thinking an enhancement could be made, but there's not a lot of conviction behind that. And actually making a rating scheme for signatures WILL be a difficult thing. So maybe we put this on the back burner for a while until more ideas come to light? Matt On 1/4/10 11:22 AM, Jules Pagna Disso wrote: > hi Matt, > > Rating a signature would be tricky. As long as a signature does what it > is supposed to do it is a good signature. I wont think that a signature > is good because of its complexity. One way that I would think would be > to rate signature by the number of time they hit on our network hence a > central reporting server. Having a central reporting prelude or ... > server could be good but will give away information that can be > exploited by the bad guys. > > I dont think it's necessary to rate signature. > Jules > > 2010/1/4 Matt Jonkman > > > Now that everyone's back in the office I wanted to bring this back up. > > 1. Do we have any volunteers wiling to sit on a panel to rate sigs and > their scores averaged > > 2. Is this worth doing? > > 3. What criteria should we use to rate? > > Hope everyone's holidays were good! > > Matt > > > On 12/29/09 2:23 PM, Matt Jonkman wrote: > > Hey David. I remember when you proposed this originally and I was > > thinking it might just be overkill for the contest then, but I didn't > > totally understand what you meant. I do now much more. So in the > last 6 > > months of the sig contest I think we've learned: > > > > 1. Geeks will do anything for a tshirt! (we already knew that, but > > apparently endless hours of thankless research also are up for grabs) > > > > 2. I really like the ongoing recognition the leaderboard gives > > contributors. I know everyone's not in this for glory, but it makes me > > feel better to have that return available to contributors. Hopefully > > good numbers up there might help a person get a good job one day. > > > > 3. The contest inspired a lot of talk, thought, and innovation. It > > really spurred submissions, I could barely keep up some months! > > > > > > So the contest is valuable I think for a lot of reasons. We need > to keep > > it, but I think your (David's) suggestion is a very good one to > improve > > the contest. > > > > It would mean more work for me, which I'm more than willing to work > > hard, but I am approaching bandwidth saturation with ET, OISF (which > > we're releasing code in 2 days!!!), and the rest of life. And oh ya, > > making a living in there somewhere. :) And kids, I'm pretty sure > I have > > kids around here somewhere... > > > > So let me suggest this: I keep putting up the sigs as we do now, they > > keep coming in the same way. But we set up a committee of 3 or 4 > > volunteers that score the submissions, either daily or weekly. > > > > We can discuss the exact algorithm later if the above suggestion is > > palatable. But that way I can keep the sigs flowing smoothly, and the > > signature contest can offer more reward based on innovation and > speed of > > work. I do appreciate the sigs we've had to date, but this might > > encourage people to tackle the more difficult problems that might mean > > one sig, but a very high score, vs 20 joomla sigs. > > > > I'd also suggest that we move this to maybe a quarterly award, or at > > least every other month. If we have fewer awards, and since we're > > definitely seeing the value of the contest, I think I could poll > some of > > our sponsors and companies that rely on the ruleset to chip in > some more > > substantial prizes (yes I'll still keep getting the tshirts too > though!). > > > > What does everyone think about that? The 2 suggestions: > > > > 1. A value based scoring system run by disinterested committee > > > > 2. Getting some sponsors to chip in substantial prizes > > > > Matt > > > > On 12/29/09 1:44 PM, David.R.Wharton at regions.com > wrote: > >> Agreed that the contest has resulted in an increase in quantity > but an > >> overall decrease in quality/usefulness (not that they are not > useful, just > >> not so much on average). That is why back in July I proposed a > scoring > >> algorithm to encourage people to write rules for new > vulnerabilities and > >> the latest malware. What are people's thoughts on this scoring > method: > >> > >> 0day: 4 points > >> Within 24 hours of vulnerability disclosure: 3 points > >> Within a week of vulnerability disclosure: 2 points > >> Generic signature: 3 points > >> Malware: 2.5 x log(percentage of VirusTotal non-detections + 10) > points > >> (log is base 10 and points round to the nearest integer) > >> Web app specific: always 1 point unless it is for "popular" software > >> (Apache, IIS, PHP, etc.) and in that case normal scoring rules > apply. The > >> definition of "popular" software is currently undefined. > >> Joomla or XSS: 0.25 points (just kidding) > >> > >> Of course, this would probably mean more work for Matt.... > >> > >> -David > >> > >> > >> > >> > >> From: > >> Matt Jonkman > > >> To: > >> "evilghost at packetmail.net " > > > >> Cc: > >> "emerging-sigs at emergingthreats.net > " > > > >> Date: > >> 12/29/2009 10:40 AM > >> Subject: > >> Re: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >> Sent by: > >> emerging-sigs-bounces at emergingthreats.net > > >> > >> > >> > >> There have been a lot more sigs, and maybe less thought into some of > >> them. I agree completely. > >> > >> But the majority of the sigs that are questionable are in > >> web_specific_apps, which is really what is intended to be in > there. That > >> ruleset is not meant to be run whole, just pick the apps you have an > >> interest in. > >> > >> So I think the net effect of the sig contest is a definite > increase in > >> the quality and quantity overall. > >> > >> Plus it's a lot of good clean fun. :) > >> > >> Matt > >> > >> On 12/29/09 11:33 AM, evilghost at packetmail.net > wrote: > >>> I got nothing in the queue. I wouldn't sit on some signatures > to win a > >>> T-Shirt, that's certainly not my motivation for contributing to this > >>> list. What is curious is the unintended consequences of a > contest to > >>> promote competition; we get dilution in the quality of the rules > because > >> > >>> people want to pad their lead. It's almost like bottom posting... > >>> > >>> -evilghost > >>> > >>> Mike Cox wrote: > >>>> Thanks, just hedging my lead. I still worry that evilghost > might swoop > >> in > >>>> at the last minute with a bunch of saved up rules since he got > robbed > >> last > >>>> month. There is at lot of low hanging fruit out there (XSS, > ActiveX, > >>>> Joomla, etc.) to keep more than one Kevin Ross busy :) > >>>> > >>>> -Mike Cox > >>>> > >>>> On Tue, Dec 29, 2009 at 10:16 AM, John Jacobs > > > >> wrote: > >>>> > >>>> > >>>>> Mike, thanks for this signature, the five people using this will > >> surely be > >>>>> happy. Looking at > >> http://www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt > >>>>> this is so trivial it has to be a joke. > >>>>> > >>>>> At least you're a shoo-in for a T-Shirt (perhaps at the > detriment to > >> the > >>>>> quality of the rules). > >>>>> > >>>>> Cheers > >>>>> -John > >>>>> > >>>>> ------------------------------ > >>>>> Date: Tue, 29 Dec 2009 10:08:42 -0600 > >>>>> From: mike.cox52 at gmail.com > >>>>> To: Emerging-sigs at emergingthreats.net > > >>>>> Subject: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter > Directory > >>>>> Traversal > >>>>> > >>>>> > >>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > >>>>> WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory > >> Traversal > >>>>> Attempt"; flow:to_server,established; content:"GET"; http_method; > >>>>> uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; > >> content:".."; > >>>>> > >> > pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; > >>>>> classtype:web-application-attack; reference:url, > >>>>> www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt > ; > >>>>> sid:2010xxx; rev:1;) > >>>>> > >>>>> Thanks. > >>>>> > >>>>> -Mike Cox > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Emerging-sigs mailing list > >>>>> Emerging-sigs at emergingthreats.net > > >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >> > ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 6 10:06:24 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:06:24 -0500 Subject: [Emerging-Sigs] sig repost (Cisco WLAN sig and Wapiti) In-Reply-To: References: <4B4377BE.9070908@jonkmans.com> Message-ID: <4B44A6F0.4070701@jonkmans.com> I think it's a likely common uri pattern. Probably not unique to cisco. I'm just assuming here though based on the common terms. Matt On 1/5/10 2:26 PM, Kevin Ross wrote: > is /screens/frameset.html common for authorisation? I didn't know that > > 2010/1/5 Matt Jonkman > > > Hmmm, on the first one, this could hit on normal traffic unrelated. > Nothing to tie it specifically to a cisco attack. I don't see anything > in the vuln report to make this better. Unfortunately. > > The second one is good though, I think that'll fly. > > Thanks Kevin! > > Matt > > On 1/5/10 10:24 AM, Kevin Ross wrote: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS > Cisco > > 4200 Wireless Lan Controller Long Authorisation Denial of Service > > Attempt"; flow:to_server,established; content:"GET > > /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A > > 20|Basic"; nocase; within:60; isdataat:70,relative; > > classtype:attempted-dos; > reference:url,www.securityfocus.com/bid/35805 > > > ; > > > reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml > > > ; > > reference:cve,2009-1164; sid:19000001; rev:1;) > > > > # This replaces my early (poor) attempt at a sig with sid 2008417 in > > emerging-scan > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > > Wapiti Web Server Vulnerability Scan"; flow:to_server,established; > > content:"GET /"; depth:5; content:"?http|3A|//www.google."; > within:100; > > nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; > > classtype:attempted-recon; reference:url,wapiti.sourceforge.net/ > > > ; sid:1900002; rev:1;) > > > > Both tested and working against exploit attemps/scans (former tested > > with metasploit module), > > Kev > > > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 6 10:08:45 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:08:45 -0500 Subject: [Emerging-Sigs] ET EXPLOIT Stealth attempt to execute VBScript/Javascript code - SIDs 2001102 2001101 In-Reply-To: <6116b9e21001051320o58ecef2eld6c0951ca3ee833a@mail.gmail.com> References: <6116b9e21001051320o58ecef2eld6c0951ca3ee833a@mail.gmail.com> Message-ID: <4B44A77D.4070400@jonkmans.com> I also disabled that one and it's evil sisters yesterday. I personally have disabled those in most of my sensors. They false a lot and the alert isn't one that I really feel inclined to chase down. What's the general feel for these rules, the stealth attempts to execute java/vb/etc. Are they worth keeping in the ruleset and improving? Matt On 1/5/10 4:20 PM, Mike Cox wrote: > SIDs 2001102 and 2001101 in emerging-exploit.rules are also eating clock > cycles. Here is 2001102 currently: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT > Stealth attempt to execute VBScript code"; flow: > from_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; > content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2001102 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities > ; > sid: 2001102; rev:9;) > > Would putting the content matches before the PCRE help or is snort smart > enough to match/not match them first? > > Since this just looks for an obfuscated "vbscript" or "javascript" call, > are they worth keeping? This afternoon I've seen a few hundred > thousands checks against this rule on one sensor but no matches. A > search of the last few weeks shows that these rules have not tripped. > > -Mike Cox > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 6 10:12:50 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:12:50 -0500 Subject: [Emerging-Sigs] More FakeAV sigs In-Reply-To: <155301.94117.qm@web113714.mail.gq1.yahoo.com> References: <256986.67758.qm@web113718.mail.gq1.yahoo.com> <4B421C55.6040400@packetmail.net> <375968.28089.qm@web113703.mail.gq1.yahoo.com> <4B424128.3030902@packetmail.net> <101642.93073.qm@web113704.mail.gq1.yahoo.com> <4B42572E.8070700@packetmail.net> <155301.94117.qm@web113714.mail.gq1.yahoo.com> Message-ID: <4B44A872.8070101@jonkmans.com> I think it's ok to do the pcre here. The malware doesn't change that much. We have sigs from 2004 that are still hitting on the same malware package, similar url style catches. I'll get these posted, thanks guys! Matt On 1/5/10 5:40 PM, Packet Hack wrote: > Anyone else have any opinions? I'm fine with either, and I defer to > those with > more experience than me :-) > > --pkthck > > ------------------------------------------------------------------------ > *From:* "evilghost at packetmail.net" > *To:* Packet Hack ; > "emerging-sigs at emergingthreats.net" > *Sent:* Mon, January 4, 2010 4:01:34 PM > *Subject:* Re: [Emerging-Sigs] More FakeAV sigs > > In my experience, I've seen fair amounts of consistency surrounding cast > types and URI structures. With the same token I believe they would just > as easily adjust the PHP file names/etc. That's my opinion but I'll > defer to the collective wisdom of the list. I always prefer to be as > precise as possible with regard to a variant versus the reduction of > usefulness of a signature due to false positive potential. I'm good > with whatever is decided upon, what we have here is collectively better > than anything I've seen elsewhere including the AV snakeoil. > > - evilghost > > Packet Hack wrote: >> I guess that's the thing -- there's no guarantee that the data after > code= will always be integers, >> and if they decide to change their code types we'd end up with false > negatives. >> >> Looks like I forgot to cc: the list on my last reply -- do you mind if > I send it to the list? >> >> Jim >> >> >> >> >> ________________________________ >> From: "evilghost at packetmail.net " > > >> To: Packet Hack > >> Sent: Mon, January 4, 2010 2:27:36 PM >> Subject: Re: [Emerging-Sigs] More FakeAV sigs >> >> I meant anchoring the integers at the end of the URI. The sigs you >> wrote are very good but I tend to like to anchor cast (ie, all integers) >> to avoid false positives. For example, "loads.php?code=newpage" won't >> match the PCRE but does match the URI content match. >> "loads.php?code=12345" would match the PCRE since the content is of type >> integer. Make sense? The PCRE won't fire unless the uricontent match >> succeeds. >> >> These are good sigs even without the PCRE, I just like to be precise as >> possible and as reasonable to avoid false positives. The list may feel >> differently and not like the PCRE. >> >> -evilghost >> >> Packet Hack wrote: >> >>> Not sure what you mean by match against cast. I'm kinda new to > writing sigs, >>> so I'm not sure what the pros are for adding the pcre. I imagine one > minus is >>> a performance hit, but there may be others. >>> >>> When I'm thinking about these I try to keep in mind the things that > might change >>> over time and leave them out if possible, otherwise I'd also be > adding the hostnames >>> for these sigs. >>> >>> What do you think? >>> --pkthck >>> >>> >>> >>> >>> ________________________________ >>> From: "evilghost at packetmail.net " > > >>> Cc: "emerging-sigs at emergingthreats.net > " > > >>> Sent: Mon, January 4, 2010 11:50:29 AM >>> Subject: Re: [Emerging-Sigs] More FakeAV sigs >>> >>> Thanks for these. Thoughts on adding a PCRE to match against cast? >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"loads.php?code="; nocase; pcre:"/loads\.php\?code=\d+$/Ui"; >>> classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"cgi-bin/download.pl?code="; nocase; > pcre:"/download\.pl\?code=\d+$/Ui"; >>> classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"cgi-bin/get.pl?l="; nocase; pcre:"/get\.pl\?l=\d+$/Ui"; >>> classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>> >>> -evilghost >>> >>> Packet Hack wrote: >>> >>> >>>> Please double check, thanks. >>>> >>>> --pkthck >>>> >>>> -------------------------------- >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"loads.php?code="; nocase; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Download"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"dfghfghgfj.dll"; nocase; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"cgi-bin/download.pl?code"; nocase; > classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( > msg:"FakeAV/Fakeinit/FraudLoad Checkin"; content:"GET "; nocase; > depth:4; content:!"|0d 0a|Referer\: "; nocase; > uricontent:"cgi-bin/get.pl?l="; nocase; classtype:trojan-activity; > reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c > ; > sid:2010xxx; rev:1;) >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 6 10:21:40 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 06 Jan 2010 10:21:40 -0500 Subject: [Emerging-Sigs] Rule Performance (Serv-U directory traversal vulnerability) In-Reply-To: References: <314cf0831001060516k27e23695kdd7a70548c7dbb17@mail.gmail.com> <314cf0831001060601n575cf97fo2cb5c9b3e8adda2@mail.gmail.com> Message-ID: <4B44AA84.409@jonkmans.com> Done! On 1/6/10 9:37 AM, Kevin Ross wrote: > Good then likely SIDs 2001210,2001211,2001212,2001213 and 2001215 can be > removed from emerging-exploit I would reckon. > > 2010/1/6 Joel Esler > > > General rule of thumb is, "don't duplicate signatures cause you can" > > So, I wouldn't add #1, as you said, it's already detected with 2338. > 2338 can also detect much more. But yes, the preprocessor should > catch that too. > > Preprocessor should catch the second one, yes. > > J > > > On Wed, Jan 6, 2010 at 8:58 AM, Kevin Ross > wrote: > > I think these two would also be detected by the FTP preprocessor > also. Even if it isn't I am sure the LIST -l one pretty much > just replicates the function of sid 2338 (FTP LIST buffer > overflow attempt) with the addition of a -l > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP > Serv-U LIST -l Parameter Buffer Overflow"; flow: > to_server,established; content:"LIST -l\:"; nocase; isdataat: > 134,relative; > reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001213 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001213; rev:8;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT > FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; > flow: to_server,established; content:"chmod"; nocase; > pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; > reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001215 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001215; rev:9;) > > > 2010/1/6 Joel Esler > > > Does anyone have pcaps for these? I have a sneaky suspicion > that the FTP preprocessor should alert on these. > > J > > On Wed, Jan 6, 2010 at 8:00 AM, Kevin Ross > > > wrote: > > Hey, here are two rules which could possibly be > disabled, modified or removed for performance. See > comments (-). Kev > > - Possibly disable by default or retire for performance > as it is just PCRE with no content matches. I don't > really know how old the vulnerability is though. Also; > based on reading the reference perhaps it may be > possible to write new rules > http://www.securiteam.com/windowsntfocus/6C0041F0KO.html. Content > matches could possibly added by doing checks for GET CWD > and PUT then that a %20 character also exists before the > PCRE. > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability > (1)"; flow: to_server,established; > pcre:"/\\[\.]+%20/Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001211 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001211; rev:9;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability > (2)"; flow: to_server,established; > pcre:"/%20[\.]+\//Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001212 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001212; rev:9;) > > - Example Alternative rules with command and space check > added after the expected space in the command, hence the > distance:1;. > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 1 > (PUT)"; flow: to_server,established; content:"PUT"; > depth:3; content:"|20|"; distance:1; within:40; > pcre:"/\\[\.]+%20/Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001211 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 2 > (PUT)"; flow: to_server,established; content:"PUT"; > depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001212 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001212; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 1 > (GET)"; flow: to_server,established; content:"GET"; > depth:3; content:"|20|"; distance:1; within:40; > pcre:"/\\[\.]+%20/Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001211 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 2 > (GET)"; flow: to_server,established; content:"GET"; > depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001212 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001212; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 1 > (CWD)"; flow: to_server,established; content:"CWD"; > depth:3; content:"|20|"; distance:1; within:30; > pcre:"/\\[\.]+%20/Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001211 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001211; rev:10;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET > EXPLOIT FTP Serv-U directory traversal vulnerability 2 > (CWD)"; flow: to_server,established; content:"CWD"; > depth:3; content:"|20|"; distance:1; within:40; > pcre:"/%20[\.]+\//Bi"; > reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html > ; > classtype: misc-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/2001212 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp > ; > sid: 2001212; rev:10;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > -- > Joel Esler > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > -- > Joel Esler > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jesler at sourcefire.com Tue Jan 5 18:41:54 2010 From: jesler at sourcefire.com (Joel Esler) Date: Tue, 5 Jan 2010 18:41:54 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1262734449.26549.90.camel@localhost> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> Message-ID: Or, use Snort in inline mode and use the new rate based rule keywords. I've suggested this multiple times, to multiple scenarios to solve problems. You could even use marty's iplist patch for superfast performance. On a side note, I'm on franks side, this should be done at the firewall. J -- Sent from my iPhone On Jan 5, 2010, at 6:34 PM, Frank Knobbe wrote: > oops, wrong SID. > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce > Tool > 2006546: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce > Attack! > 2001219: SCAN Potential SSH Scan > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From kevross33 at googlemail.com Wed Jan 6 10:56:41 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 6 Jan 2010 15:56:41 +0000 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> Message-ID: If your SSH servers are *nix based you could use ossec. A great HIDS and with active response you can detect bruteforcing and autoblock regardless of where it comes from. It is very useful in helping to spot things in logs and very easy to install. Have a peek here http://www.ossec.net/ 2010/1/5 Joel Esler > Or, use Snort in inline mode and use the new rate based rule keywords. > > I've suggested this multiple times, to multiple scenarios to solve > problems. > > You could even use marty's iplist patch for superfast performance. > > On a side note, I'm on franks side, this should be done at the firewall. > > J > > -- > Sent from my iPhone > > On Jan 5, 2010, at 6:34 PM, Frank Knobbe wrote: > > > oops, wrong SID. > > > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce > > Tool > > 2006546: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce > > Attack! > > 2001219: SCAN Potential SSH Scan > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/c719cc8a/attachment.html From kevross33 at googlemail.com Wed Jan 6 11:02:16 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Wed, 6 Jan 2010 16:02:16 +0000 Subject: [Emerging-Sigs] sig repost (Cisco WLAN sig and Wapiti) In-Reply-To: <4B44A6F0.4070701@jonkmans.com> References: <4B4377BE.9070908@jonkmans.com> <4B44A6F0.4070701@jonkmans.com> Message-ID: Hmmm I am not so sure. I think it might be reasonably specific enough to get away with it. No worries though, I am still running it in local.rules because there are a few WLCs about :) 2010/1/6 Matt Jonkman > I think it's a likely common uri pattern. Probably not unique to cisco. > I'm just assuming here though based on the common terms. > > Matt > > On 1/5/10 2:26 PM, Kevin Ross wrote: > > is /screens/frameset.html common for authorisation? I didn't know that > > > > 2010/1/5 Matt Jonkman >> > > > > Hmmm, on the first one, this could hit on normal traffic unrelated. > > Nothing to tie it specifically to a cisco attack. I don't see > anything > > in the vuln report to make this better. Unfortunately. > > > > The second one is good though, I think that'll fly. > > > > Thanks Kevin! > > > > Matt > > > > On 1/5/10 10:24 AM, Kevin Ross wrote: > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS > > Cisco > > > 4200 Wireless Lan Controller Long Authorisation Denial of Service > > > Attempt"; flow:to_server,established; content:"GET > > > /screens/frameset.html"; depth:26; nocase; > content:"Authorization|3A > > > 20|Basic"; nocase; within:60; isdataat:70,relative; > > > classtype:attempted-dos; > > reference:url,www.securityfocus.com/bid/35805 > > > > > ; > > > > > reference:url, > www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml > > > > > >; > > > reference:cve,2009-1164; sid:19000001; rev:1;) > > > > > > # This replaces my early (poor) attempt at a sig with sid 2008417 > in > > > emerging-scan > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > SCAN > > > Wapiti Web Server Vulnerability Scan"; flow:to_server,established; > > > content:"GET /"; depth:5; content:"?http|3A|//www.google."; > > within:100; > > > nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; > distance:0; > > > classtype:attempted-recon; reference:url,wapiti.sourceforge.net/ > > > > > ; sid:1900002; rev:1;) > > > > > > Both tested and working against exploit attemps/scans (former > tested > > > with metasploit module), > > > Kev > > > > > > > > > > > > _______________________________________________ > > > Emerging-sigs mailing list > > > Emerging-sigs at emergingthreats.net > > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > > > > ---------------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinfosecfoundation.org > > ---------------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/32dbe595/attachment.html From evilghost at packetmail.net Wed Jan 6 11:02:31 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Wed, 6 Jan 2010 10:02:31 -0600 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> Message-ID: <4B44B417.5030300@packetmail.net> The real solution is "PasswordAuthentication no" in sshd_config and using key-pair authentication as well as moving the port off TCP 22. OSSEC-HIDS is a great product, Daniel Cid and others did some great work on it. It was recently bough out by TrendMicro. I think of OSSEC as "Snort" for logfiles. -evilghost Kevin Ross wrote: > If your SSH servers are *nix based you could use ossec. A great HIDS and > with active response you can detect bruteforcing and autoblock regardless of > where it comes from. It is very useful in helping to spot things in logs and > very easy to install. Have a peek here http://www.ossec.net/ > > 2010/1/5 Joel Esler > > >> Or, use Snort in inline mode and use the new rate based rule keywords. >> >> I've suggested this multiple times, to multiple scenarios to solve >> problems. >> >> You could even use marty's iplist patch for superfast performance. >> >> On a side note, I'm on franks side, this should be done at the firewall. >> >> J >> >> -- >> Sent from my iPhone >> >> On Jan 5, 2010, at 6:34 PM, Frank Knobbe wrote: >> >> >>> oops, wrong SID. >>> >>> 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce >>> Tool >>> 2006546: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce >>> Attack! >>> 2001219: SCAN Potential SSH Scan >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From spooker at gmail.com Wed Jan 6 11:18:54 2010 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Wed, 6 Jan 2010 14:18:54 -0200 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B44A5F5.1040200@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> <69544301001040822o3853017xbbefc21effa0c676@mail.gmail.com> <4B44A5F5.1040200@jonkmans.com> Message-ID: <9255886c1001060818l68333eeej5da345e4ef74831a@mail.gmail.com> I don't know if everybody read that already but there is a good paper "Performance Tuning: Rules & Preprocessors" at snort.org http://www.snort.org/assets/126/WhitePaper_Snort_PerformanceTuning_2009.pdf Regards, On Wed, Jan 6, 2010 at 1:02 PM, Matt Jonkman wrote: > So to continue the rules contest change discussion, I think we're at the > point of thinking an enhancement could be made, but there's not a lot of > conviction behind that. > > And actually making a rating scheme for signatures WILL be a difficult > thing. So maybe we put this on the back burner for a while until more > ideas come to light? > > Matt > > On 1/4/10 11:22 AM, Jules Pagna Disso wrote: >> hi Matt, >> >> Rating a signature would be tricky. As long as a signature does what it >> is supposed to do it is a good signature. I wont think that a signature >> is good because of its complexity. One way that I would think would be >> to rate signature by the number of time they hit on our network hence a >> central reporting server. Having a central reporting prelude or ... >> server could be good but will give away information that can be >> exploited by the bad guys. >> >> I dont think it's necessary to rate signature. >> Jules >> >> 2010/1/4 Matt Jonkman > >> >> ? ? Now that everyone's back in the office I wanted to bring this back up. >> >> ? ? 1. Do we have any volunteers wiling to sit on a panel to rate sigs and >> ? ? their scores averaged >> >> ? ? 2. Is this worth doing? >> >> ? ? 3. What criteria should we use to rate? >> >> ? ? Hope everyone's holidays were good! >> >> ? ? Matt >> >> >> ? ? On 12/29/09 2:23 PM, Matt Jonkman wrote: >> ? ? > Hey David. I remember when you proposed this originally and I was >> ? ? > thinking it might just be overkill for the contest then, but I didn't >> ? ? > totally understand what you meant. I do now much more. So in the >> ? ? last 6 >> ? ? > months of the sig contest I think we've learned: >> ? ? > >> ? ? > 1. Geeks will do anything for a tshirt! (we already knew that, but >> ? ? > apparently endless hours of thankless research also are up for grabs) >> ? ? > >> ? ? > 2. I really like the ongoing recognition the leaderboard gives >> ? ? > contributors. I know everyone's not in this for glory, but it makes me >> ? ? > feel better to have that return available to contributors. Hopefully >> ? ? > good numbers up there might help a person get a good job one day. >> ? ? > >> ? ? > 3. The contest inspired a lot of talk, thought, and innovation. It >> ? ? > really spurred submissions, I could barely keep up some months! >> ? ? > >> ? ? > >> ? ? > So the contest is valuable I think for a lot of reasons. We need >> ? ? to keep >> ? ? > it, but I think your (David's) suggestion is a very good one to >> ? ? improve >> ? ? > the contest. >> ? ? > >> ? ? > It would mean more work for me, which I'm more than willing to work >> ? ? > hard, but I am approaching bandwidth saturation with ET, OISF (which >> ? ? > we're releasing code in 2 days!!!), and the rest of life. And oh ya, >> ? ? > making a living in there somewhere. :) ?And kids, I'm pretty sure >> ? ? I have >> ? ? > kids around here somewhere... >> ? ? > >> ? ? > So let me suggest this: I keep putting up the sigs as we do now, they >> ? ? > keep coming in the same way. But we set up a committee of 3 or 4 >> ? ? > volunteers that score the submissions, either daily or weekly. >> ? ? > >> ? ? > We can discuss the exact algorithm later if the above suggestion is >> ? ? > palatable. But that way I can keep the sigs flowing smoothly, and the >> ? ? > signature contest can offer more reward based on innovation and >> ? ? speed of >> ? ? > work. I do appreciate the sigs we've had to date, but this might >> ? ? > encourage people to tackle the more difficult problems that might mean >> ? ? > one sig, but a very high score, vs 20 joomla sigs. >> ? ? > >> ? ? > I'd also suggest that we move this to maybe a quarterly award, or at >> ? ? > least every other month. If we have fewer awards, and since we're >> ? ? > definitely seeing the value of the contest, I think I could poll >> ? ? some of >> ? ? > our sponsors and companies that rely on the ruleset to chip in >> ? ? some more >> ? ? > substantial prizes (yes I'll still keep getting the tshirts too >> ? ? though!). >> ? ? > >> ? ? > What does everyone think about that? The 2 suggestions: >> ? ? > >> ? ? > 1. A value based scoring system run by disinterested committee >> ? ? > >> ? ? > 2. Getting some sponsors to chip in substantial prizes >> ? ? > >> ? ? > Matt >> ? ? > >> ? ? > On 12/29/09 1:44 PM, David.R.Wharton at regions.com >> ? ? wrote: >> ? ? >> Agreed that the contest has resulted in an increase in quantity >> ? ? but an >> ? ? >> overall decrease in quality/usefulness (not that they are not >> ? ? useful, just >> ? ? >> not so much on average). That is why back in July I proposed a >> ? ? scoring >> ? ? >> algorithm to encourage people to write rules for new >> ? ? vulnerabilities and >> ? ? >> the latest malware. ?What are people's thoughts on this scoring >> ? ? method: >> ? ? >> >> ? ? >> 0day: ?4 points >> ? ? >> Within 24 hours of vulnerability disclosure: ?3 points >> ? ? >> Within a week of vulnerability disclosure: ?2 points >> ? ? >> Generic signature: ?3 points >> ? ? >> Malware: ?2.5 x log(percentage of VirusTotal non-detections + 10) >> ? ? points >> ? ? >> (log is base 10 and points round to the nearest integer) >> ? ? >> Web app specific: always 1 point unless it is for "popular" software >> ? ? >> (Apache, IIS, PHP, etc.) and in that case normal scoring rules >> ? ? apply. The >> ? ? >> definition of "popular" software is currently undefined. >> ? ? >> Joomla or XSS: 0.25 points (just kidding) >> ? ? >> >> ? ? >> Of course, this would probably mean more work for Matt.... >> ? ? >> >> ? ? >> -David >> ? ? >> >> ? ? >> >> ? ? >> >> ? ? >> >> ? ? >> From: >> ? ? >> Matt Jonkman > >> ? ? >> To: >> ? ? >> "evilghost at packetmail.net " >> ? ? > >> ? ? >> Cc: >> ? ? >> "emerging-sigs at emergingthreats.net >> ? ? " >> ? ? > ? ? > >> ? ? >> Date: >> ? ? >> 12/29/2009 10:40 AM >> ? ? >> Subject: >> ? ? >> Re: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter Directory >> ? ? >> Traversal >> ? ? >> Sent by: >> ? ? >> emerging-sigs-bounces at emergingthreats.net >> ? ? >> ? ? >> >> ? ? >> >> ? ? >> >> ? ? >> There have been a lot more sigs, and maybe less thought into some of >> ? ? >> them. I agree completely. >> ? ? >> >> ? ? >> But the majority of the sigs that are questionable are in >> ? ? >> web_specific_apps, which is really what is intended to be in >> ? ? there. That >> ? ? >> ruleset is not meant to be run whole, just pick the apps you have an >> ? ? >> interest in. >> ? ? >> >> ? ? >> So I think the net effect of the sig contest is a definite >> ? ? increase in >> ? ? >> the quality and quantity overall. >> ? ? >> >> ? ? >> Plus it's a lot of good clean fun. :) >> ? ? >> >> ? ? >> Matt >> ? ? >> >> ? ? >> On 12/29/09 11:33 AM, evilghost at packetmail.net >> ? ? wrote: >> ? ? >>> I got nothing in the queue. ?I wouldn't sit on some signatures >> ? ? to win a >> ? ? >>> T-Shirt, that's certainly not my motivation for contributing to this >> ? ? >>> list. ?What is curious is the unintended consequences of a >> ? ? contest to >> ? ? >>> promote competition; we get dilution in the quality of the rules >> ? ? because >> ? ? >> >> ? ? >>> people want to pad their lead. ?It's almost like bottom posting... >> ? ? >>> >> ? ? >>> -evilghost >> ? ? >>> >> ? ? >>> Mike Cox wrote: >> ? ? >>>> Thanks, just hedging my lead. ?I still worry that evilghost >> ? ? might swoop >> ? ? >> in >> ? ? >>>> at the last minute with a bunch of saved up rules since he got >> ? ? robbed >> ? ? >> last >> ? ? >>>> month. ?There is at lot of low hanging fruit out there (XSS, >> ? ? ActiveX, >> ? ? >>>> Joomla, etc.) to keep more than one Kevin Ross busy :) >> ? ? >>>> >> ? ? >>>> -Mike Cox >> ? ? >>>> >> ? ? >>>> On Tue, Dec 29, 2009 at 10:16 AM, John Jacobs >> ? ? > >> ? ? >> wrote: >> ? ? >>>> >> ? ? >>>> >> ? ? >>>>> ?Mike, thanks for this signature, the five people using this will >> ? ? >> surely be >> ? ? >>>>> happy. ?Looking at >> ? ? >> http://www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt >> ? ? >>>>> this is so trivial it has to be a joke. >> ? ? >>>>> >> ? ? >>>>> At least you're a shoo-in for a T-Shirt (perhaps at the >> ? ? detriment to >> ? ? >> the >> ? ? >>>>> quality of the rules). >> ? ? >>>>> >> ? ? >>>>> Cheers >> ? ? >>>>> -John >> ? ? >>>>> >> ? ? >>>>> ------------------------------ >> ? ? >>>>> Date: Tue, 29 Dec 2009 10:08:42 -0600 >> ? ? >>>>> From: mike.cox52 at gmail.com >> ? ? >>>>> To: Emerging-sigs at emergingthreats.net >> ? ? >> ? ? >>>>> Subject: [Emerging-Sigs] 35mm Slide Gallery imgdir Parameter >> ? ? Directory >> ? ? >>>>> Traversal >> ? ? >>>>> >> ? ? >>>>> >> ? ? >>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> ? ? >>>>> WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory >> ? ? >> Traversal >> ? ? >>>>> Attempt"; flow:to_server,established; content:"GET"; http_method; >> ? ? >>>>> uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; >> ? ? >> content:".."; >> ? ? >>>>> >> ? ? >> >> ? ? pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; >> ? ? >>>>> classtype:web-application-attack; reference:url, >> ? ? >>>>> www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt >> ? ? ; >> ? ? >>>>> sid:2010xxx; rev:1;) >> ? ? >>>>> >> ? ? >>>>> Thanks. >> ? ? >>>>> >> ? ? >>>>> -Mike Cox >> ? ? >>>>> >> ? ? >>>>> >> ? ? >>>>> >> ? ? >>>>> _______________________________________________ >> ? ? >>>>> Emerging-sigs mailing list >> ? ? >>>>> Emerging-sigs at emergingthreats.net >> ? ? >> ? ? >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> ? ? >>>>> >> ? ? >>>>> >> ? ? >>>>> >> ? ? >>>> >> ? ? >>>> >> ? ? >>>> >> ? ? >> >> ? ? ------------------------------------------------------------------------ >> ? ? >>>> >> ? ? >>>> _______________________________________________ >> ? ? >>>> Emerging-sigs mailing list >> ? ? >>>> Emerging-sigs at emergingthreats.net >> ? ? >> ? ? >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> ? ? >>>> >> ? ? >>> _______________________________________________ >> ? ? >>> Emerging-sigs mailing list >> ? ? >>> Emerging-sigs at emergingthreats.net >> ? ? >> ? ? >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> ? ? >> >> ? ? > >> >> ? ? -- >> >> ? ? ---------------------------------------------------- >> ? ? Matthew Jonkman >> ? ? Emerging Threats >> ? ? Open Information Security Foundation (OISF) >> ? ? Phone 765-429-0398 >> ? ? Fax 312-264-0205 >> ? ? http://www.emergingthreats.net >> ? ? http://www.openinfosecfoundation.org >> ? ? ---------------------------------------------------- >> >> ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >> ? ? _______________________________________________ >> ? ? Emerging-sigs mailing list >> ? ? Emerging-sigs at emergingthreats.net >> ? ? >> ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker From jesler at sourcefire.com Wed Jan 6 11:51:15 2010 From: jesler at sourcefire.com (Joel Esler) Date: Wed, 6 Jan 2010 11:51:15 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> Message-ID: <1FCA9C14-4FFC-4329-87D4-9E630BF8EA6C@sourcefire.com> Or, something like denyhosts. -- Sent from my iPhone On Jan 6, 2010, at 10:56 AM, Kevin Ross wrote: > If your SSH servers are *nix based you could use ossec. A great HIDS > and with active response you can detect bruteforcing and autoblock > regardless of where it comes from. It is very useful in helping to > spot things in logs and very easy to install. Have a peek here http://www.ossec.net/ > > 2010/1/5 Joel Esler > Or, use Snort in inline mode and use the new rate based rule keywords. > > I've suggested this multiple times, to multiple scenarios to solve > problems. > > You could even use marty's iplist patch for superfast performance. > > On a side note, I'm on franks side, this should be done at the > firewall. > > J > > -- > Sent from my iPhone > > On Jan 5, 2010, at 6:34 PM, Frank Knobbe wrote: > > > oops, wrong SID. > > > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a > BruteForce > > Tool > > 2006546: SCAN LibSSH Based Frequent SSH Connections Likely > BruteForce > > Attack! > > 2001219: SCAN Potential SSH Scan > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/49fc56cb/attachment.html From mail at mare-system.de Wed Jan 6 14:29:11 2010 From: mail at mare-system.de (mex) Date: Wed, 06 Jan 2010 20:29:11 +0100 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <1FCA9C14-4FFC-4329-87D4-9E630BF8EA6C@sourcefire.com> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> <1FCA9C14-4FFC-4329-87D4-9E630BF8EA6C@sourcefire.com> Message-ID: <4B44E487.2020705@mare-system.de> thanx for all the suggestions; too much to check for now (denyhosts i know and use, ossec looks fine; i've herd about it but didn't knew much) but i'm not quite sure if i want to deploy another level of complexity at the moment. i'm still not convinced to block the sshbl-ips on my firewall per default (it's like wearing a condom all the time just to be prepared ...), so i'm quite happy with snort-rules that trigger a block when some hostile action is performend (eg ssh-connection-attempts). luckily everybody migth create their own philosophy on how to use snort. i'll keep the droplists online and updated and maybe switch to date-based lists the next days; more infos will be at the link i posted today, i'm not going to bother this list anymore with that topic;-) so long and thanx for all the suggestions!!! mex From David.R.Wharton at regions.com Wed Jan 6 15:48:44 2010 From: David.R.Wharton at regions.com (David.R.Wharton@regions.com) Date: Wed, 6 Jan 2010 14:48:44 -0600 Subject: [Emerging-Sigs] Proposed update to "ET POLICY Possible Ecard Trojan download" Message-ID: >From time to time I see false positives on 2006434: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006434; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; sid:2006434; rev:5;) These are due to requests like this: GET /foobar/r/pdf2gif.exe/cH0s3Pru13s What if we anchored the PCRE to ensure the .exe is at the end of the URI? e.g. pcre:"/(card|gif|jpg|jpeg|cartao)\.exe$/Ui" Thanks. -David Wharton; From jesler at sourcefire.com Wed Jan 6 15:57:21 2010 From: jesler at sourcefire.com (Joel Esler) Date: Wed, 6 Jan 2010 15:57:21 -0500 Subject: [Emerging-Sigs] Proposed update to "ET POLICY Possible Ecard Trojan download" In-Reply-To: References: Message-ID: <826CAB9C-F427-4854-B516-C467F8EC376B@sourcefire.com> Are you sure you don't want the rule going the other way? What if you anchored it to the flowbit: "exe.download" as found in rule 15306. Just hear me out, I'm just putting it up for discussion. J On Jan 6, 2010, at 3:48 PM, David.R.Wharton at regions.com wrote: >> From time to time I see false positives on 2006434: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Possible Ecard Trojan download"; flow:established,to_server; > uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe/Ui"; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006434; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; > sid:2006434; rev:5;) > > These are due to requests like this: > > GET /foobar/r/pdf2gif.exe/cH0s3Pru13s > > What if we anchored the PCRE to ensure the .exe is at the end of the URI? > e.g. pcre:"/(card|gif|jpg|jpeg|cartao)\.exe$/Ui" > > Thanks. > > -David Wharton; > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From emerging at emergingthreats.net Wed Jan 6 16:00:12 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 6 Jan 2010 16:00:12 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100106210012.F19AD4504E@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Jan 6 16:00:12 2010 [***] [+++] Added rules: [+++] 2010626 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) 2010627 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) 2010628 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) [---] Disabled rules: [---] 2001048 - ET EXPLOIT IE process injection iexplore.exe executable download (emerging-exploit.rules) 2001099 - ET EXPLOIT Attempt to execute VBScript code (emerging-exploit.rules) 2001101 - ET EXPLOIT Stealth attempt to execute Javascript code (emerging-exploit.rules) 2001102 - ET EXPLOIT Stealth attempt to execute VBScript code (emerging-exploit.rules) 2001103 - ET EXPLOIT Stealth attempt to access SHELL\: (emerging-exploit.rules) 2001105 - ET EXPLOIT Javascript execution with expression eval (emerging-exploit.rules) 2001106 - ET EXPLOIT Javascript execution with expression eval hex (emerging-exploit.rules) 2003230 - ET EXPLOIT Microsoft IE FTP URL Arbitrary Command Injection (emerging-exploit.rules) [---] Removed rules: [---] 2001095 - ET EXPLOIT IFRAME ExecCommand vulnerability (emerging-exploit.rules) 2001210 - ET EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability (emerging-exploit.rules) 2001211 - ET EXPLOIT FTP Serv-U directory traversal vulnerability (1) (emerging-exploit.rules) 2001212 - ET EXPLOIT FTP Serv-U directory traversal vulnerability (2) (emerging-exploit.rules) 2001213 - ET EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow (emerging-exploit.rules) 2001215 - ET EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability (emerging-exploit.rules) 2001401 - ET EXPLOIT IE IFRAME Exploit (emerging-exploit.rules) 2002682 - ET EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution (emerging-exploit.rules) 2002860 - ET EXPLOIT Internet Explorer createTextRange Code Execution (emerging-exploit.rules) 2003109 - ET EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (1): #These sigs are high load and minimal utility. -> Added to emerging-sid-msg.map (31): 2010626 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010626 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2010627 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010627 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2010628 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010628 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (31): 2010626 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010626 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2010627 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010627 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2010628 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV || url,doc.emergingthreats.net/2010628 || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c 2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-exploit.rules (2): #Joseph Gama # Submitted 2006-09-23 by Nate Bolam -> Removed from emerging-sid-msg.map (10): 2001095 || ET EXPLOIT IFRAME ExecCommand vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2001095 || url,www.securiteam.com/exploits/3D5Q4RFPPK.html 2001210 || ET EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001210 || url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html 2001211 || ET EXPLOIT FTP Serv-U directory traversal vulnerability (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001211 || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html 2001212 || ET EXPLOIT FTP Serv-U directory traversal vulnerability (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001212 || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html 2001213 || ET EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001213 || url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html 2001215 || ET EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001215 || url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html 2001401 || ET EXPLOIT IE IFRAME Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2001401 2002682 || ET EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2002682 || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002860 || ET EXPLOIT Internet Explorer createTextRange Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2002860 || cve,2006-1359 || bugtraq,17196 2003109 || ET EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2003109 || bugtraq,20096 || cve,2006-4868 -> Removed from emerging-sid-msg.map.txt (10): 2001095 || ET EXPLOIT IFRAME ExecCommand vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2001095 || url,www.securiteam.com/exploits/3D5Q4RFPPK.html 2001210 || ET EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001210 || url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html 2001211 || ET EXPLOIT FTP Serv-U directory traversal vulnerability (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001211 || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html 2001212 || ET EXPLOIT FTP Serv-U directory traversal vulnerability (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001212 || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html 2001213 || ET EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001213 || url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html 2001215 || ET EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Serv-U_Ftp || url,doc.emergingthreats.net/bin/view/Main/2001215 || url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html 2001401 || ET EXPLOIT IE IFRAME Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2001401 2002682 || ET EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2002682 || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002860 || ET EXPLOIT Internet Explorer createTextRange Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2002860 || cve,2006-1359 || bugtraq,17196 2003109 || ET EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities || url,doc.emergingthreats.net/bin/view/Main/2003109 || bugtraq,20096 || cve,2006-4868 From jules at visionintel.com Wed Jan 6 16:46:11 2010 From: jules at visionintel.com (Jules Pagna Disso) Date: Wed, 6 Jan 2010 21:46:11 +0000 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B44A59B.1090808@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> <4B44A59B.1090808@jonkmans.com> Message-ID: <69544301001061346p3747cc2dldcf9594e49ba1afc@mail.gmail.com> hi, Optimising signature is definitely important. Deleting signatures because they have not hit recently is probably not the best thing to do. Recently we have seen "old Trojan/viruses" hit windows 7. I agree that rules need to be looked at for optimisation but not so much for deletion. At lest they can be commented but not deleted. Jules 2010/1/6 Matt Jonkman > > On 1/4/10 11:01 PM, Rich Rumble wrote: > > On Mon, Jan 4, 2010 at 4:52 PM, Kevin Ross > wrote: > >> Not so much for the competition but if we could go through the rulesets > >> looking for errors, performance improvements or sigs to possibly disable > or > >> retire if they are not relevant anymore. > > Hear, hear! > > I agree. We do need efforts to clean up old and obsoleted. Sidreporter > is something toward that, so we can see if rules have hit recently. > We're still looking for a larger sample size though. If you can please > contribute! It's anonymous. > > > > >> I am aware that some of my sigs in the emerging-scan category can be > >> improved upon too as they were when I was first learning and that is > >> something I will be getting around to. They work, just need improved for > >> performance. > > I have a question, how are we to balance snort sigs and suricata sigs? > > I've not seen > > anything to tell me the two are different, but I'd assume with > > protocol detection > > that perhaps we don't need to include port numbers in a suri sig where we > still > > do in a snort sig? > > We are so far just using the snort ruleset, but you're right we will > have more capabilities (especially as we get more layer 7 protocols into > the autodetection). Defined ports will become far less important > (thankfully!). > > So we will have to diverge the rulesets. We'll do so at ET, have a stock > snort ruleset as we do now, and a parallel ruleset for suricata enhanced > rules. Same coverage though as is possible. Although it's likely that in > the future we'll have more rules, or better coverage, in suricata > because of the enhancements. > > I know it's brand new, but I've not seen a doc yet > > on writing effective > > suri rules, and perhaps that will come along in the next update. > > Yes, that's in the works. The syntax itself is still solidifying for the > things that are beyond the snort language. But very soon, yes! > > > Will there be a need for separate lists for snort/suricata? > > I hope not. I think we can continue to discuss threats and the > signatures will follow as always, just in 2 versions if there is a > suricata enhancement that can be used. > > > Something I've always needed help with is how to write a better sig, and > I think > > there are some sig *stars* on the list that do great work and help > > others whenever > > possible, I wish there were more, I wish I were one of them :) I'll keep > reading > > SnortSigs101 and try to get myself in the running for the monthly sig > contest. > > (I think just I've made a new years resolution... even though I've > > oximoronically > > made it my new years resolution to not make new years resolutions... hmm) > > Excellent! Glad to have you here. i think this is a great place to learn > about sigs. I get schooled at least once a week. :) > > Matt > > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/1c6400c7/attachment-0001.html From mail at mare-system.de Wed Jan 6 16:52:15 2010 From: mail at mare-system.de (mex) Date: Wed, 06 Jan 2010 22:52:15 +0100 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs Message-ID: <4B45060F.2090601@mare-system.de> in a blogpost i found interesting information regarding metasploit-generated/infected pdfs http://extraexploit.blogspot.com/search/label/CVE-2009-4324 and i build some sig around it (see below) ; the first two sigs simply scan http-traffic in and out for the malicious strings, while the others are sigs with flowbits. i found no information if the flowbit-option is pinned to a single ip so i'm not sure about sideeffects on sites with tons of legit pdf-downloads. i tested the rules with some pdfs i found in $SPAM, all with low detectionrates @ virustotal: > CONFIRMATION DE GAIN FREELOTTO.pf http://www.virustotal.com/analisis/ffc2bce0acc3e0d313c254fe5da4091d39cf724d08adfb7438ae39681a0ac9fe-1262813177 > FMo9A8pDZNCaw9AVq2uz5d.pdf http://www.virustotal.com/analisis/58cdc67dbffb6d2d29eb0f7ce4776e843f6ec3a886ca9e58db3c71d57abeec23-1262748518 > VOTRE_NOTIFICATION_DE_GAIN_MICROSOFT.pdf http://www.virustotal.com/analisis/44e4a6f4ac39f15619c346eb49b517df5af3ae08c6f7e6a74d9ba5ccd1a26fd6-1260153904 one problem occured: i had to set the value [server_flow_depth 1460] (which was unset by default but did not detected the strings in the response-stream) in preprocessor http_inspect_server which might increase the overall-load of the sensor. i don't know if it makes sense to create a SMTP-outgoing rule for that. # simple rules # malicious pdf outgoing (metasploit-infected) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220037; rev:2;) #content:"|25|"; content:"PDF-"; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; # malicious pdf incoming (metasploit-infected) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; depth:500; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220040; rev:2;) # flowbit_rule outgoing # malicious pdf outgoing (metasploit-infected) trigger 1 alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Malicious_PDF outgoing Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220041; rev:2;) # malicious pdf outgoing (metasploit-infected) trigger 2 / alert alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220042; rev:2;) #content:"|25|"; content:"PDF-"; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; # flowbit_rule incoming # malicious pdf incoming (metasploit-infected) trigger 1 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious_PDF incoming Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220043; rev:2;) # malicious pdf incoming (metasploit-infected) trigger 2 / alert alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220044; rev:2;) From frank at knobbe.us Wed Jan 6 17:53:28 2010 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 06 Jan 2010 16:53:28 -0600 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: <4B45060F.2090601@mare-system.de> References: <4B45060F.2090601@mare-system.de> Message-ID: <1262818408.21711.64.camel@localhost> On Wed, 2010-01-06 at 22:52 +0100, mex wrote: > # malicious pdf outgoing (metasploit-infected) > alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220037; rev:2;) > #content:"|25|"; content:"PDF-"; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; Shouldn't that be "dinstance:0; within:15;" ? (Same in other rules. offset/depth always count from the beginning of the packet, distance/within from the last match. There never is a offset/within combo) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/b2d370de/attachment.bin From frank at knobbe.us Wed Jan 6 18:03:36 2010 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 06 Jan 2010 17:03:36 -0600 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B421249.1040002@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> Message-ID: <1262819016.21711.67.camel@localhost> On Mon, 2010-01-04 at 11:07 -0500, Matt Jonkman wrote: > Now that everyone's back in the office I wanted to bring this back up. > 2. Is this worth doing? No, I don't think it's useful. Sharing signatures should be done to improve the security of everyone, not to get a name on a plate. You can write a lot of signature for funny things, but that doesn't mean that such signature should be written. We really should focus on the issue and create decent sigs, not pump sigs out for everything and their mother. But that's just grumpy me. ;) -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/83444f50/attachment.bin From mail at mare-system.de Wed Jan 6 18:06:38 2010 From: mail at mare-system.de (mex) Date: Thu, 07 Jan 2010 00:06:38 +0100 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: <1262818408.21711.64.camel@localhost> References: <4B45060F.2090601@mare-system.de> <1262818408.21711.64.camel@localhost> Message-ID: <4B45177E.2000606@mare-system.de> Frank Knobbe wrote: > Shouldn't that be "dinstance:0; within:15;" ? > yeah, sure ... thanx updates below # simple rules # malicious pdf outgoing (metasploit-infected) alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; distance:0; within:15; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220037; rev:3;) # malicious pdf incoming (metasploit-infected) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; depth:500; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; distance:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220040; rev:3;) # flowbit_rule outgoing # malicious pdf outgoing (metasploit-infected) trigger 1 alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Malicious_PDF outgoing Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220041; rev:3;) # malicious pdf outgoing (metasploit-infected) trigger 2 / alert alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; distance:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220042; rev:3;) # flowbit_rule incoming # malicious pdf incoming (metasploit-infected) trigger 1 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious_PDF incoming Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220043; rev:3;) # malicious pdf incoming (metasploit-infected) trigger 2 / alert alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; distance:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220044; rev:3;) From frank at knobbe.us Wed Jan 6 18:07:02 2010 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 06 Jan 2010 17:07:02 -0600 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <4B44A59B.1090808@jonkmans.com> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <6116b9e20912290823i291b9b1ds14fb77e03e23e251@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> <4B44A59B.1090808@jonkmans.com> Message-ID: <1262819222.21711.70.camel@localhost> On Wed, 2010-01-06 at 10:00 -0500, Matt Jonkman wrote: > I agree. We do need efforts to clean up old and obsoleted. You know, I'm still getting valid exploit attempts on old, old signatures. We have to be careful not to remove sigs just because they are old, or we *think* the threat may have passed. There a bunch of sigs ET has removed that I kept in my rule sets, and those still serve me well. I agree on improving performance of rules though. Instead of just removing hogs, we should improve those pigs and make them oink more efficient. -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100106/b082f709/attachment.bin From wkitty42 at windstream.net Wed Jan 6 19:55:50 2010 From: wkitty42 at windstream.net (waldo kitty) Date: Wed, 06 Jan 2010 19:55:50 -0500 Subject: [Emerging-Sigs] sshbl.org SSH - Blacklist Sigs In-Reply-To: <4B44E487.2020705@mare-system.de> References: <4B430460.3040302@mare-system.de> <1262700894.26549.6.camel@localhost> <4B43AEDA.7090105@windstream.net> <1262733823.26549.83.camel@localhost> <1262734449.26549.90.camel@localhost> <1FCA9C14-4FFC-4329-87D4-9E630BF8EA6C@sourcefire.com> <4B44E487.2020705@mare-system.de> Message-ID: <4B453116.5070208@windstream.net> mex wrote: > > (it's like wearing a > condom all the time just to be prepared ...), ROTFLMAO!!! perfect! that's a phrase that i'll have to remember and it fits perfectly with this discussion :) :) :) From mail at mare-system.de Thu Jan 7 03:08:12 2010 From: mail at mare-system.de (mex) Date: Thu, 07 Jan 2010 09:08:12 +0100 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: References: <4B45060F.2090601@mare-system.de> Message-ID: <4B45966C.1040209@mare-system.de> it looks like the sigs will hit on a lot of pdfs created around the latest adobe-0-day; i find the string /Filter /FlateDecode in many descriptions of recent malicious pdfs: http://isc.sans.org/diary.html?storyid=7903 http://isc.sans.org/diary.html?storyid=7867 Kevin Ross wrote: > I am too tired to look at snort rules the now and figure them out but there > is an existing flowbit you can use in emerging-current which was written for > the latest Adobe newplayer vulnerability. It is this: (nearly) what i wanted, except for the fact you trigger only the incoming regards, mex From mail at mare-system.de Thu Jan 7 06:29:43 2010 From: mail at mare-system.de (mex) Date: Thu, 07 Jan 2010 12:29:43 +0100 Subject: [Emerging-Sigs] SSH - Brute-Force Sig Message-ID: <4B45C5A7.5030108@mare-system.de> i played a little with the ssh/bruteforce related sigs suggested by frank 2001219: SCAN Potential SSH Scan this checks barely for the syn-flag on port 22 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! these two sigs check for the string [ content:"SSH-"; content:"libssh"; ] of the user-request and works good as long as someone doesnt use any other lib/ssh-client for brute forcing. these two libssh-sigs have nearly the same ammount of alerts as the proposed ssh-brute-force sig below, while the sig below catches the client-request, not user-agent. 2001219 produces a lot of fp, regarding to ssh-brute-force-detection. if needed, i can provide the results. this sig has been tested with openssh-server and bsd/solaris/linux-opensshclient, so i'm not sure if this will fire on other servers than openssh. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SSH-Connection Brute Force "; flow:to_server,established; content:"|15 00 00 00 00|"; depth:10; threshold: type both, track by_src, count 5, seconds 30; classtype:attempted-user; reference:url,www.sshbl.org/; sid:11220047; rev:3;) mex From kevross33 at googlemail.com Thu Jan 7 06:52:09 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 11:52:09 +0000 Subject: [Emerging-Sigs] Contest Enhancement In-Reply-To: <1262819222.21711.70.camel@localhost> References: <6116b9e20912290808t1b28ac8ey7d288000ad4cc9d4@mail.gmail.com> <4B3A2F68.8090104@packetmail.net> <4B3A30A5.7030101@jonkmans.com> <4B3A5714.2060402@jonkmans.com> <4B421249.1040002@jonkmans.com> <4B44A59B.1090808@jonkmans.com> <1262819222.21711.70.camel@localhost> Message-ID: Perhaps disabling the sig by default is the way to go then if the threat is well past? There are some Microsoft exploits from 2003/2004 and 2005 that should be well patched by now. Though I do partially take the view if blocking is used if that host is hostile, block them regardless of whether or not it would have worked so they don't keep trying. Performance and accuracy improvements are a worthwhile endeavour I think. It doesn't have to be time consuming, just a fix here and there as we spot them, I am sure with so many eyes looking at the rules we will get an overall performance improvement on the rulesets. Regards 2010/1/6 Frank Knobbe > On Wed, 2010-01-06 at 10:00 -0500, Matt Jonkman wrote: > > I agree. We do need efforts to clean up old and obsoleted. > > You know, I'm still getting valid exploit attempts on old, old > signatures. We have to be careful not to remove sigs just because they > are old, or we *think* the threat may have passed. There a bunch of sigs > ET has removed that I kept in my rule sets, and those still serve me > well. > > I agree on improving performance of rules though. Instead of just > removing hogs, we should improve those pigs and make them oink more > efficient. > > -Frank > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/9162ad46/attachment.html From kevross33 at googlemail.com Thu Jan 7 07:48:36 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 12:48:36 +0000 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: <4B45966C.1040209@mare-system.de> References: <4B45060F.2090601@mare-system.de> <4B45966C.1040209@mare-system.de> Message-ID: I think most installations would be interested in incoming .pdf files so I think that would be adequate avoiding any any statements and using the existing pdf flowbit. I have also written a couple to (hopefully) spot crude javascript obfuscation with pdf documents and just plain javascript usage. I don't know if people might find them useful. # This is Mex's rule slightly modified for existing flowbit alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT Possible Malicious PDF HTTP File Transfer Incoming (Metasploit Generated PDF)"; flow:established,to_client; flowbits:isset,ET.pdf.request; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; distance:0; content:"/FlateDecode"; nocase; distance:0; within:15; classtype:attempted-user; reference:url, extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url, contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url, isc.sans.org/diary.html?storyid=7867; sid:11220044; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT Possible Basic Javascript Obfuscation (unescape) Within HTTP PDF Document Transfer, Possibly Hostile"; flow:established,to_client; flowbits:isset,ET.pdf.request; content:"|25|PDF-"; content:"unescape"; nocase; distance:0; pcre:"/=\s*unescape/i"; classtype:attempted-user; reference:url,isc.sans.org/diary.html?storyid=7903; sid:19000001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT Possible Un-Obfuscated Javascript Within .pdf Document, Potentially Hostile"; flow:established,to_client; flowbits:isset,ET.pdf.request; content:"|25|PDF-"; content:"/Javascript"; nocase; distance:0; classtype:misc-activity; reference:url,isc.sans.org/diary.html?storyid=7903; sid:19000002; rev:1;) Regards, Kev 2010/1/7 mex > > it looks like the sigs will hit on a lot of pdfs > created around the latest adobe-0-day; i find the string > /Filter /FlateDecode in many descriptions of recent > malicious pdfs: > > http://isc.sans.org/diary.html?storyid=7903 > http://isc.sans.org/diary.html?storyid=7867 > > > Kevin Ross wrote: > > I am too tired to look at snort rules the now and figure them out but > there > > is an existing flowbit you can use in emerging-current which was written > for > > the latest Adobe newplayer vulnerability. It is this: > > (nearly) what i wanted, except for the fact you trigger only > the incoming > > > regards, > > mex > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/2e6e004d/attachment.html From mail at mare-system.de Thu Jan 7 08:26:57 2010 From: mail at mare-system.de (mex) Date: Thu, 07 Jan 2010 14:26:57 +0100 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: References: <4B45060F.2090601@mare-system.de> <4B45966C.1040209@mare-system.de> Message-ID: <4B45E121.9010005@mare-system.de> when i read the story right http://isc.sans.org/diary.html?storyid=7903 the obfuscated code is obtained after running the malicious pdf through pdf-parser.py; i think usually the pdf-doc itself is zipped in any way, just some "headers" are shown, luckily mex Kevin Ross wrote: > I think most installations would be interested in incoming .pdf files so I > think that would be adequate avoiding any any statements and using the > existing pdf flowbit. I have also written a couple to (hopefully) spot crude > javascript obfuscation with pdf documents and just plain javascript usage. I > don't know if people might find them useful. > From kevross33 at googlemail.com Thu Jan 7 10:43:14 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 15:43:14 +0000 Subject: [Emerging-Sigs] Possible sigs to disable or remove? Message-ID: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET /screens/frameset.html"; depth:26; nocase; content:"Authorization|3A 20|Basic"; nocase; within:60; isdataat:70,relative; classtype:attempted-dos; reference:url, www.securityfocus.com/bid/35805; reference:url, www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; sid:19000001; rev:1;) Sigs which could possible be disable by default or removed (see inline comments) # cve is 2002 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Hello; sid:2002845; rev:5;) # cve is 2001 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "ET EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference:url,www.guninski.com/popspoof.html; reference:url, securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; reference:cve,2001-1410; classtype:trojan-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2001813; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001813; rev:9;) # cve is 2004 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT MS05-005 Office XP .doc Remote Code Attempt"; flow:established,to_server; uricontent:".doc"; pcre:"/\x2edoc\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url, www.frsirt.com/english/advisories/2005/0119; reference:url, doc.emergingthreats.net/bin/view/Main/2001727; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-005; sid:2001727; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT MS05-005 Office XP .rtf Remote Code Attempt"; flow:established,to_server; uricontent:".rtf"; pcre:"/\x2ertf\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url, www.frsirt.com/english/advisories/2005/0119; reference:url, doc.emergingthreats.net/bin/view/Main/2002799; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-005; sid:2002799; rev:5;) # 2004 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2000046; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_win2k; sid: 2000046; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2000046; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_win2k; sid: 2000046; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "ET EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url, www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url, www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; classtype:attempted-admin; reference:url, doc.emergingthreats.net/bin/view/Main/2001944; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-007; sid: 2001944; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url, www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype: shellcode-detect; reference:url, doc.emergingthreats.net/bin/view/Main/2001369; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid: 2001369; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url, www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; reference:url, doc.emergingthreats.net/bin/view/Main/2001363; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid: 2001363; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url, www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; reference:url, doc.emergingthreats.net/bin/view/Main/2001363; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid: 2001363; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little;classtype: misc-activity; reference:url, www.sygate.com/alerts/SSR20041013-0001.htm; reference:url, doc.emergingthreats.net/bin/view/Main/2001374; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid: 2001374; rev:8;) # 2005 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little;classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-002_ANI_Stack_Overflow; sid: 2001668; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT MS05-005 Office XP .doc Remote Code Attempt"; flow:established,to_server; uricontent:".doc"; pcre:"/\x2edoc\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url, www.frsirt.com/english/advisories/2005/0119; reference:url, doc.emergingthreats.net/bin/view/Main/2001727; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-005; sid:2001727; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT MS05-005 Office XP .rtf Remote Code Attempt"; flow:established,to_server; uricontent:".rtf"; pcre:"/\x2ertf\x2500.{500}/isU"; classtype:attempted-admin; reference:cve,2004-0848; reference:url, www.frsirt.com/english/advisories/2005/0119; reference:url, doc.emergingthreats.net/bin/view/Main/2002799; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-005; sid:2002799; rev:5;) alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET EXPLOIT ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url, www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url, doc.emergingthreats.net/bin/view/Main/2002064; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-011; sid:2002064; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content:"|3C|OBJECT "; nocase; pcre:"/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype: misc-attack; reference:url, www.microsoft.com/technet/security/bulletin/ms05-014.mspx; reference:url, doc.emergingthreats.net/bin/view/Main/2001725; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-014; sid: 2001725; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url, isc.sans.org/diary.php?date=2005-04-12; reference:url, www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid: 2001848; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url, isc.sans.org/diary.php?date=2005-04-12; reference:url, www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid: 2001848; rev:7;) #lert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url, isc.sans.org/diary.php?date=2005-04-12; reference:url, www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid: 2001873; rev:9;) # These also FPd a lot for me #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1048576,1,relative,big; reference:url, www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002120; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036; sid:2002120; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4,>,1024,127,relative,big; reference:url, www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002121; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036; sid:2002121; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1048576,1,relative,big; reference:url, www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002122; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036; sid:2002122; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count"; flow:established; content:"ICCRGBG1012"; byte_test:4,>,1024,129,relative,big; reference:url, www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002123; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036; sid:2002123; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document"; flow:established; content:"|89|PNG|0D 0A 1A 0A|"; content:"iCCP"; reference:url, www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002124; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036; sid:2002124; rev:3;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/4d54a85e/attachment-0001.html From jonkman at jonkmans.com Thu Jan 7 11:00:40 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 11:00:40 -0500 Subject: [Emerging-Sigs] Old Rules which possible can be retired In-Reply-To: References: Message-ID: <4B460528.3010605@jonkmans.com> Agreed. Looking into these all, thanks Kevin! Matt On 1/6/10 7:41 AM, Kevin Ross wrote: > Hey, I think some of these rules can be removed,moved or disabled > (mostly due to the age of the vulnerability, 2003/2004 mark usually). > See comments (begin -). What do you think? > > - Date has passed, likely can be removed as domains have likely gone > > #sigs for the ms vidctl 0-day. These should be removed in a few days, > around 7/10 if the domains are gone > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com > )"; flow:established,to_server; content:"|0d > 0a|Host\: milllk.com |0d 0a|"; depth:200; > classtype:trojan-activity; > reference:url,isc.sans.org/diary.html?storyid=6733 > ; > reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 > ; > reference:url,doc.emergingthreats.net/2009488 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl > ; > sid:2009488; rev:3;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org > )"; flow:established,to_server; content:"|0d > 0a|Host\: 8oy4t.8866.org |0d 0a|"; depth:200; > classtype:trojan-activity; > reference:url,isc.sans.org/diary.html?storyid=6733 > ; > reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 > ; > reference:url,doc.emergingthreats.net/2009489 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl > ; > sid:2009489; rev:3;) > > - May 2005 Vulnerability. Could possibly move to web-apps or retire if > risk has passed > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT > wowBB view_user.php SQL Injection"; flow: to_server,established; > uricontent:"/wowbb/view_user.php?"; nocase; uricontent:"&sort_by='"; > nocase; pcre:"/(alter|delete|insert|select)/i"; reference:bugtraq,13569; > classtype: web-application-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2001932 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_wowBB > ; > sid: 2001932; rev:6;) > > - Old, possibly can remove if risk has passed > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with indexed color"; flow: to_client,established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:1,=,3,10,relative; flowbits:set,icolor_png; classtype: > misc-attack; reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001720 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001720; rev:9;) > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; > flowbits:isset,icolor_png; content:"PLTE"; > byte_test:4,>,768,-8,relative; classtype: misc-attack; > reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001721 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001721; rev:8;) > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; > flowbits:isset,icolor_png; content:"hIST"; > byte_test:4,>,512,-8,relative; classtype: misc-attack; > reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001722 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001722; rev:8;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT ATmaCA PoC > for CORE-2004-0819 - Bad PNG"; flow: to_client,established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,256,17,relative;content:"tRNS"; distance: 4; classtype: > misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001723 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001723; rev:8;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-1244 PNG with bad width"; flow: to_client, established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,10000,0,relative;classtype: misc-attack; > reference:cve,2004-1214; > reference:url,doc.emergingthreats.net/bin/view/Main/2001718 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001718; rev:7;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-1244 PNG with bad height"; flow: to_client, established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,10000,4,relative;classtype: misc-attack; > reference:cve,2004-1214; > reference:url,doc.emergingthreats.net/bin/view/Main/2001719 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001719; rev:7;) > > #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > libpng CAN-2004-1244 overflow attempt"; flow: to_client,established; > content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; > byte_test:1,=,3,10,relative;content:"tRNS"; > byte_test:4,>,256,-8,relative;pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; > reference:cve,2004-0597; reference:bugtraq,10872; classtype: > attempted-admin; > reference:url,doc.emergingthreats.net/bin/view/Main/2001724 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001724; rev:6;) > > - Again old, I also disabled them due to quite a few FPs within my network > > # False negative warning: JPEG ICC can be fragged into multiple chunks. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size"; > flow:established; content:"ICC_PROFILE|0001|"; > byte_test:4,>,1048576,1,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002120 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002120; rev:6;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count"; > flow:established; content:"ICC_PROFILE|0001|"; > byte_test:4,>,1024,127,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002121 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002121; rev:7;) > > # False negative warning: GIF ICC can be fragged into multiple chunks. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size"; > flow:established; content:"ICCRGBG1012"; > byte_test:4,>,1048576,1,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002122 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002122; rev:6;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count"; > flow:established; content:"ICCRGBG1012"; > byte_test:4,>,1024,129,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002123 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002123; rev:7;) > > - Again old > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 > 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; > byte_test:4, >, 256, 60, little;classtype: misc-activity; > reference:url,www.sygate.com/alerts/SSR20041013-0001.htm > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2001374 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001374; rev:8;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 > Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; > content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e > 5c 05 78|"; nocase; > reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001369 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001369; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible > MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: > established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; > reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001363 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001363; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 > Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: > established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 > 4F 44 21|"; > reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001364 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001364; rev:7;) > > - Old Again > > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "ET EXPLOIT MS04-007 > Kill-Bill ASN1 exploit attempt"; flow: established,to_server; > content:"CCCC|20f0fd7f|SVWf"; > reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/ > ; > reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx > ; > reference:cve,CAN-2003-0818; classtype:attempted-admin; > reference:url,doc.emergingthreats.net/bin/view/Main/2001944 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-007 > ; > sid: 2001944; rev:6;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Thu Jan 7 11:13:37 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 16:13:37 +0000 Subject: [Emerging-Sigs] More Rules to Disable/Retire Message-ID: Same as before, Sigs which could possible be disable by default or removed (see inline comments) # From 2004 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url, www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_NETBIOS_ASN1_Overflow; sid: 2000017; rev:6;) # From 2005 and Metasploit Specific alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url, isc.sans.org/diary.php?date=2005-06-27; reference:url, www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec; sid:2002061; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url, isc.sans.org/diary.php?date=2005-06-27; reference:url, www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec; sid:2002062; rev:4;) # From 2005 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url, www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; reference:url, doc.emergingthreats.net/bin/view/Main/2002734; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF; sid:2002734; rev:5;) # From 2005, Also not tied to ports and FPd often for me #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Escape Record Exploit - All Ports - v3"; flow:established,from_server; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url, doc.emergingthreats.net/bin/view/Main/2002733; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF; sid:2002733; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Escape Record Exploit - All Ports - v1"; flow:established,from_server; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; classtype:unknown; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url, doc.emergingthreats.net/bin/view/Main/2002759; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF; sid:2002759; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url, www.frsirt.com/english/advisories/2005/3086; reference:url, doc.emergingthreats.net/bin/view/Main/2002758; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF; sid:2002758; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120; reference:url, www.frsirt.com/english/advisories/2005/3086; reference:url, doc.emergingthreats.net/bin/view/Main/2002742; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF; sid:2002742; rev:9;) # Old or belongs in web-apps possibly alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url, www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url, www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url, awstats.sourceforge.net; reference:url, www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2001686; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec; sid: 2001686; rev:13;) # cve 2004 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution" ; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003231; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003231; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution" ; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003231; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003231; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)" ; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003232; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003232; rev:57;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution" ; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003233; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003233; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)" ; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003234; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities; sid:2003234; rev:7;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/31cf8b20/attachment-0001.html From jlewis at packetnexus.com Thu Jan 7 11:46:54 2010 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 7 Jan 2010 11:46:54 -0500 Subject: [Emerging-Sigs] Malware samples Message-ID: <554140e81001070846g642c5eb8l2baadffec34a2f4b@mail.gmail.com> I have a pretty big backlog of malware samples that I'm trying to submit to samples at emerginthreats.net. I've clearly sent too many, so I'm wondering what I should throttle back to. 10 an hour? SMTP recipient() command failed: : Recipient address rejected: Policy Rejection: --SENDER_QUOTA_REJECTION-- jas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/44ca45e3/attachment.html From jonkman at jonkmans.com Thu Jan 7 12:06:52 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 12:06:52 -0500 Subject: [Emerging-Sigs] Malware samples In-Reply-To: <554140e81001070846g642c5eb8l2baadffec34a2f4b@mail.gmail.com> References: <554140e81001070846g642c5eb8l2baadffec34a2f4b@mail.gmail.com> Message-ID: <4B4614AC.7090303@jonkmans.com> Hey Jason, appreciate the samples. We haven't any sender throttling going on in this end. Do you have an intermediary mail server? Send them as fast as you like, we can handle them! Matt On 1/7/10 11:46 AM, Jason Lewis wrote: > I have a pretty big backlog of malware samples that I'm trying to submit > to samples at emerginthreats.net . I've > clearly sent too many, so I'm wondering what I should throttle back to. > 10 an hour? > > SMTP recipient() command failed: > >: > Recipient address rejected: Policy Rejection: --SENDER_QUOTA_REJECTION-- > > jas > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jlewis at packetnexus.com Thu Jan 7 12:19:36 2010 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 7 Jan 2010 12:19:36 -0500 Subject: [Emerging-Sigs] Malware samples In-Reply-To: <4B4614AC.7090303@jonkmans.com> References: <554140e81001070846g642c5eb8l2baadffec34a2f4b@mail.gmail.com> <4B4614AC.7090303@jonkmans.com> Message-ID: <554140e81001070919i54d28fc8i1cc9a8e302b5a88@mail.gmail.com> Well, I'm clearly lacking caffeine. My SMTP host is limiting. I assumed from the error that it was on the recipient end. I have about 600 samples, I'll queue them up. jas On Thu, Jan 7, 2010 at 12:06 PM, Matt Jonkman wrote: > Hey Jason, appreciate the samples. > > We haven't any sender throttling going on in this end. Do you have an > intermediary mail server? > > Send them as fast as you like, we can handle them! > > Matt > > On 1/7/10 11:46 AM, Jason Lewis wrote: > > I have a pretty big backlog of malware samples that I'm trying to submit > > to samples at emerginthreats.net . I've > > clearly sent too many, so I'm wondering what I should throttle back to. > > 10 an hour? > > > > SMTP recipient() command failed: > > >: > > Recipient address rejected: Policy Rejection: --SENDER_QUOTA_REJECTION-- > > > > jas > > > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/3015f8d8/attachment.html From jonkman at jonkmans.com Thu Jan 7 12:31:49 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 12:31:49 -0500 Subject: [Emerging-Sigs] More bad zip file attachments In-Reply-To: References: Message-ID: <4B461A85.6030902@jonkmans.com> Posted a sig for it, thanks Jason! Matt On 1/7/10 10:56 AM, Weir, Jason wrote: > Started seeing these this morning inbound email attachments - don't > think we have a rule covering them - script kiddies getting lazy - I've > seem the 5 digits at the end repeating.. > > MySpace_document_82788.zip > MySpace_document_49792.zip > > > > -Jason > > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From David.R.Wharton at regions.com Thu Jan 7 12:42:50 2010 From: David.R.Wharton at regions.com (David.R.Wharton@regions.com) Date: Thu, 7 Jan 2010 11:42:50 -0600 Subject: [Emerging-Sigs] ET DROP Known Bot C&C Traffic rules Message-ID: After reading this thread -- http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-May/002612.html -- it looks like the RBN rules were changed from "alert ip" and split into "alert tcp" and "alert udp". However, the "ET DROP Known Bot C&C Traffic" rules are still "alert ip". Any reason we don't split these as well? Someone overly interested in seeing ICMP requests to these IPs? For me these rules are some of the most expensive when it comes to total_ticks so that is why I bring it up. -David From jonkman at jonkmans.com Thu Jan 7 13:05:35 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 13:05:35 -0500 Subject: [Emerging-Sigs] ET DROP Known Bot C&C Traffic rules In-Reply-To: References: Message-ID: <4B46226F.3010600@jonkmans.com> You're right, these will improve a lot if we do. I meant to really when we did the others but it slipped my mind. Done, updating now, these look correct? Matt On 1/7/10 12:42 PM, David.R.Wharton at regions.com wrote: > After reading this thread -- > http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-May/002612.html > -- it looks like the RBN rules were changed from "alert ip" and split into > "alert tcp" and "alert udp". However, the "ET DROP Known Bot C&C Traffic" > rules are still "alert ip". Any reason we don't split these as well? > Someone overly interested in seeing ICMP requests to these IPs? > > For me these rules are some of the most expensive when it comes to > total_ticks so that is why I bring it up. > > -David > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 7 13:09:39 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 13:09:39 -0500 Subject: [Emerging-Sigs] Disable/retire Message-ID: <4B462363.1090306@jonkmans.com> I understand the concerns on removing old rules. I'm definitely not in favor of removing a lot of rules that could re-fire. We see malware especially go away and re-emerge a year or more later. So my personal policy in retiring a rule will be that not only is it VERY obviously obsolete, but it also needs to be inefficient or in some other way a detriment to overall performance. If it's both of those to a degree that outweighs any risk of missing a re-emergence then I'll consider dumping. But most I think we can disable and be safer. But VERY bad and VERY inefficient rules I'd rather remove. I'll be clear on what we do though, that good by all? Matt ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 7 13:23:10 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 13:23:10 -0500 Subject: [Emerging-Sigs] More Rules to Disable/Retire In-Reply-To: References: Message-ID: <4B46268E.9060408@jonkmans.com> Comments inline: On 1/7/10 11:13 AM, Kevin Ross wrote: > # From 2004 > alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NII > Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: > to_server,established; content:"|A1 05 23 03 03 01 07|"; > reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp > ; > classtype: bad-unknown; > reference:url,doc.emergingthreats.net/bin/view/Main/2000017 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_NETBIOS_ASN1_Overflow > ; > sid: 2000017; rev:6;) I vote we keep this one in. Load is relatively low. Are people seeing a lot of FPs? I think this vuln is still one that the standard scanners and malware look for. > > # From 2005 and Metasploit Specific > alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible > BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; > content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; > classtype: attempted-admin; > reference:url,isc.sans.org/diary.php?date=2005-06-27 > ; > reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002061 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec > ; > sid:2002061; rev:4;) Again, low load, but since it is specific to MSF we could consider disabling. Thoughts? > > alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible > BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; > content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; > classtype: attempted-admin; > reference:url,isc.sans.org/diary.php?date=2005-06-27 > ; > reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002062 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec > ; > sid:2002062; rev:4;) Same as above. > > # From 2005 > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF > Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 > 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 > 03 00 00 00 00 00|"; > reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php > ; > classtype:attempted-user; > reference:url,doc.emergingthreats.net/bin/view/Main/2002734 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF > ; > sid:2002734; rev:5;) I see massive FPs on this one. Load isn't bad, but I think it's getting to the end of useful. I'll disable unless I hear comments otherwise. Oh wait, it is already disabled. :) I say we leave it there. Good? > > # From 2005, Also not tied to ports and FPd often for me > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF > Escape Record Exploit - All Ports - v3"; flow:established,from_server; > flowbits:isnotset,emerging_wmf_expl; > flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; > content:"|00 00|"; distance:10; within:12; > flowbits:set,emerging_wmf_expl; flowbits:noalert; classtype:unknown; > reference:url,www.frsirt.com/english/advisories/2005/3086 > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002733 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF > ; > sid:2002733; rev:9;) > Ya, also disabled, but I think this is one we can let go away for it's horrible performance. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF > Escape Record Exploit - All Ports - v1"; flow:established,from_server; > flowbits:isnotset,emerging_wmf_expl; > flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; > content:"|00 00|"; distance:10; within:12; > flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; classtype:unknown; > reference:url,www.frsirt.com/english/advisories/2005/3086 > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002759 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF > ; > sid:2002759; rev:3;) > Same, killing the above for performance reasons. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF > Escape Record Exploit - Version 1"; flow:established; > flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; > flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; > flowbits:unset,emerging_wmf_expl_v1; classtype:attempted-user; > threshold:type limit, track by_src, count 1,seconds 120; > reference:url,www.frsirt.com/english/advisories/2005/3086 > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002758 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF > ; > sid:2002758; rev:6;) > Killing. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF > Escape Record Exploit - Version 3"; flow:established; > flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; > flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; > flowbits:unset,emerging_wmf_expl_v1; classtype:attempted-user; > threshold:type limit, track by_src, count 1,seconds 120; > reference:url,www.frsirt.com/english/advisories/2005/3086 > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2002742 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF > ; > sid:2002742; rev:9;) Same > > # Old or belongs in web-apps possibly > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET > EXPLOIT Awstats Remote Code Execution Attempt"; flow: > established,from_client; uricontent:"/awstats.pl ?"; > nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; > reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php > ; > reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php > ; > reference:url,awstats.sourceforge.net ; > reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false > ; > reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: > web-application-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2001686 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec > ; > sid: 2001686; rev:13;) Moved to specific_apps with the other awstats sigs. > > # cve 2004 > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code > Execution" ; flow:from_server,established; > content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; > content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; > reference:url, osvdb.org/10705 ; > reference:cve,2004-0216; classtype:attempted-user; > reference:url,doc.emergingthreats.net/2003231 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities > ; > sid:2003231; rev:8;) I say disable here. Performance isn't TOO awful bad, but I'd hate to try to track these down. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code > Execution" ; flow:from_server,established; > content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; > content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; > reference:url, osvdb.org/10705 ; > reference:cve,2004-0216; classtype:attempted-user; > reference:url,doc.emergingthreats.net/2003231 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities > ; > sid:2003231; rev:8;) Same, disabling > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code > Execution (2)" ; flow:from_server,established; content:" > ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; > content:"SetCifFile"; nocase; > pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; > reference:url, osvdb.org/10705 ; > reference:cve,2004-0216; classtype:attempted-user; > reference:url,doc.emergingthreats.net/2003232 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities > ; > sid:2003232; rev:57;) > Same, disabling > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary > Command Execution" ; flow:from_server,established; content:" > Shell.Application"; content:"GetLink"; nocase; > pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; > reference:url, osvdb.org/7913 ; > reference:cve,2004-2291; classtype:attempted-user; > reference:url,doc.emergingthreats.net/2003233 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities > ; > sid:2003233; rev:7;) Same, disabling > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT > ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary > Command Execution (2)" ; flow:from_server,established; > content:"13709620-C279-11CE-A49E-444553540000"; nocase; > content:"GetLink"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; > reference:url, osvdb.org/7913 ; > reference:cve,2004-2291; classtype:attempted-user; > reference:url,doc.emergingthreats.net/2003234 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_IE_Vulnerabilities > ; > sid:2003234; rev:7;) > Same, disabling. If anyone disagrees please speak up! Happy to change. Thanks Kevin! Matt ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 7 14:00:31 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 14:00:31 -0500 Subject: [Emerging-Sigs] Old Rules which possible can be retired In-Reply-To: References: Message-ID: <4B462F4F.5070304@jonkmans.com> All handled or moved, thanks! Matt On 1/6/10 7:41 AM, Kevin Ross wrote: > Hey, I think some of these rules can be removed,moved or disabled > (mostly due to the age of the vulnerability, 2003/2004 mark usually). > See comments (begin -). What do you think? > > - Date has passed, likely can be removed as domains have likely gone > > #sigs for the ms vidctl 0-day. These should be removed in a few days, > around 7/10 if the domains are gone > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com > )"; flow:established,to_server; content:"|0d > 0a|Host\: milllk.com |0d 0a|"; depth:200; > classtype:trojan-activity; > reference:url,isc.sans.org/diary.html?storyid=6733 > ; > reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 > ; > reference:url,doc.emergingthreats.net/2009488 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl > ; > sid:2009488; rev:3;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org > )"; flow:established,to_server; content:"|0d > 0a|Host\: 8oy4t.8866.org |0d 0a|"; depth:200; > classtype:trojan-activity; > reference:url,isc.sans.org/diary.html?storyid=6733 > ; > reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 > ; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 > ; > reference:url,doc.emergingthreats.net/2009489 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl > ; > sid:2009489; rev:3;) > > - May 2005 Vulnerability. Could possibly move to web-apps or retire if > risk has passed > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT > wowBB view_user.php SQL Injection"; flow: to_server,established; > uricontent:"/wowbb/view_user.php?"; nocase; uricontent:"&sort_by='"; > nocase; pcre:"/(alter|delete|insert|select)/i"; reference:bugtraq,13569; > classtype: web-application-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2001932 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_wowBB > ; > sid: 2001932; rev:6;) > > - Old, possibly can remove if risk has passed > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with indexed color"; flow: to_client,established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:1,=,3,10,relative; flowbits:set,icolor_png; classtype: > misc-attack; reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001720 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001720; rev:9;) > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; > flowbits:isset,icolor_png; content:"PLTE"; > byte_test:4,>,768,-8,relative; classtype: misc-attack; > reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001721 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001721; rev:8;) > > alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; > flowbits:isset,icolor_png; content:"hIST"; > byte_test:4,>,512,-8,relative; classtype: misc-attack; > reference:cve,2004-0597; > reference:url,doc.emergingthreats.net/bin/view/Main/2001722 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001722; rev:8;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT ATmaCA PoC > for CORE-2004-0819 - Bad PNG"; flow: to_client,established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,256,17,relative;content:"tRNS"; distance: 4; classtype: > misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001723 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001723; rev:8;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-1244 PNG with bad width"; flow: to_client, established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,10000,0,relative;classtype: misc-attack; > reference:cve,2004-1214; > reference:url,doc.emergingthreats.net/bin/view/Main/2001718 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001718; rev:7;) > > #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > CAN-2004-1244 PNG with bad height"; flow: to_client, established; > content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; > byte_test:4,>,10000,4,relative;classtype: misc-attack; > reference:cve,2004-1214; > reference:url,doc.emergingthreats.net/bin/view/Main/2001719 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001719; rev:7;) > > #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > libpng CAN-2004-1244 overflow attempt"; flow: to_client,established; > content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; > byte_test:1,=,3,10,relative;content:"tRNS"; > byte_test:4,>,256,-8,relative;pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; > reference:cve,2004-0597; reference:bugtraq,10872; classtype: > attempted-admin; > reference:url,doc.emergingthreats.net/bin/view/Main/2001724 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG > ; > sid: 2001724; rev:6;) > > - Again old, I also disabled them due to quite a few FPs within my network > > # False negative warning: JPEG ICC can be fragged into multiple chunks. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size"; > flow:established; content:"ICC_PROFILE|0001|"; > byte_test:4,>,1048576,1,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002120 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002120; rev:6;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count"; > flow:established; content:"ICC_PROFILE|0001|"; > byte_test:4,>,1024,127,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002121 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002121; rev:7;) > > # False negative warning: GIF ICC can be fragged into multiple chunks. > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size"; > flow:established; content:"ICCRGBG1012"; > byte_test:4,>,1048576,1,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002122 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002122; rev:6;) > > #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential > MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count"; > flow:established; content:"ICCRGBG1012"; > byte_test:4,>,1024,129,relative,big; > reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx > ; > reference:cve,CVE-2005-1219; classtype:misc-attack; > reference:url,doc.emergingthreats.net/bin/view/Main/2002123 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 > ; > sid:2002123; rev:7;) > > - Again old > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 > 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; > byte_test:4, >, 256, 60, little;classtype: misc-activity; > reference:url,www.sygate.com/alerts/SSR20041013-0001.htm > ; > reference:url,doc.emergingthreats.net/bin/view/Main/2001374 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001374; rev:8;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 > Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; > content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e > 5c 05 78|"; nocase; > reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001369 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001369; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible > MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: > established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; > reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001363 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001363; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 > Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: > established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 > 4F 44 21|"; > reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx > ; > classtype: shellcode-detect; > reference:url,doc.emergingthreats.net/bin/view/Main/2001364 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032 > ; > sid: 2001364; rev:7;) > > - Old Again > > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "ET EXPLOIT MS04-007 > Kill-Bill ASN1 exploit attempt"; flow: established,to_server; > content:"CCCC|20f0fd7f|SVWf"; > reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/ > ; > reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx > ; > reference:cve,CAN-2003-0818; classtype:attempted-admin; > reference:url,doc.emergingthreats.net/bin/view/Main/2001944 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-007 > ; > sid: 2001944; rev:6;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Thu Jan 7 14:06:27 2010 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 7 Jan 2010 13:06:27 -0600 Subject: [Emerging-Sigs] More Rules to Disable/Retire In-Reply-To: <4B46268E.9060408@jonkmans.com> References: <4B46268E.9060408@jonkmans.com> Message-ID: <4B4630B3.4020901@afferentsecurity.com> comments inline also On 01/07/2010 12:23 PM, Matt Jonkman wrote: > Comments inline: > > On 1/7/10 11:13 AM, Kevin Ross wrote: > >> # From 2004 >> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NII >> Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: >> to_server,established; content:"|A1 05 23 03 03 01 07|"; >> reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp >> ; >> classtype: bad-unknown; >> reference:url,doc.emergingthreats.net/bin/view/Main/2000017 >> ; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_NETBIOS_ASN1_Overflow >> ; >> sid: 2000017; rev:6;) >> > I vote we keep this one in. Load is relatively low. Are people seeing a > lot of FPs? I think this vuln is still one that the standard scanners > and malware look for. > > this one should never hit unless you allow netbios in through the firewall. On my sensors I have oinkmaster changing the source range to "HOME_NET" The LSASS worm exploited this to spread horizontally across the internal network once a compromised machine was on the inside. >> # From 2005 and Metasploit Specific >> alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible >> BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; >> content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; >> classtype: attempted-admin; >> reference:url,isc.sans.org/diary.php?date=2005-06-27 >> ; >> reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm >> ; >> reference:url,doc.emergingthreats.net/bin/view/Main/2002061 >> ; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec >> ; >> sid:2002061; rev:4;) >> > Again, low load, but since it is specific to MSF we could consider > disabling. Thoughts? > we have alot of problems with script kiddie hackers running stuff "straight out of the box". We use the nessus and msf rules to cut them off early. > > If anyone disagrees please speak up! Happy to change. > > Thanks Kevin! > > Matt > From kevross33 at googlemail.com Thu Jan 7 14:13:08 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 19:13:08 +0000 Subject: [Emerging-Sigs] Disable/retire In-Reply-To: <4B462363.1090306@jonkmans.com> References: <4B462363.1090306@jonkmans.com> Message-ID: yeah good by me. If we start disabling stuff that is old and does not fire then it can be enabled as people see fit (I know 2005 vulnerabilities won't affect most people but there is always network with tucked away machines that have never managed to be patched for whatever reason. If a threat has completely passed though, i.e we disable it and there is no issue and no traffic is seen again it can probably be removed. Nice to have a clean up for the next decade of threats :) 2010/1/7 Matt Jonkman > I understand the concerns on removing old rules. I'm definitely not in > favor of removing a lot of rules that could re-fire. We see malware > especially go away and re-emerge a year or more later. So my personal > policy in retiring a rule will be that not only is it VERY obviously > obsolete, but it also needs to be inefficient or in some other way a > detriment to overall performance. If it's both of those to a degree that > outweighs any risk of missing a re-emergence then I'll consider dumping. > > But most I think we can disable and be safer. But VERY bad and VERY > inefficient rules I'd rather remove. I'll be clear on what we do though, > that good by all? > > Matt > > ---------------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinfosecfoundation.org > ---------------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/3753baab/attachment.html From deapesh at gmail.com Thu Jan 7 14:21:02 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Thu, 7 Jan 2010 14:21:02 -0500 Subject: [Emerging-Sigs] More Rules to Disable/Retire In-Reply-To: <4B4630B3.4020901@afferentsecurity.com> References: <4B46268E.9060408@jonkmans.com> <4B4630B3.4020901@afferentsecurity.com> Message-ID: <22b0e07b1001071121k393e647ax44d8858ff73c8ac2@mail.gmail.com> > On 01/07/2010 12:23 PM, Matt Jonkman wrote: >>> # From 2005 and Metasploit Specific >>> alert tcp $EXTERNAL_NET any -> ?$HOME_NET 10000 (msg:"ET EXPLOIT Possible >>> BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; >>> content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; >>> classtype: attempted-admin; >>> reference:url,isc.sans.org/diary.php?date=2005-06-27 >>> ; >>> reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm >>> ; >>> reference:url,doc.emergingthreats.net/bin/view/Main/2002061 >>> ; >>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec >>> ; >>> sid:2002061; rev:4;) >>> >> Again, low load, but since it is specific to MSF we could consider >> disabling. Thoughts? >> Just a question: did we decide to get rid of MSF (which I guess stands for Metasploit Framework) specific signatures? Some of these signatures are helpful IMHO, since at least in the initial few days after an exploit has been released via Metasploit, these sigs provide protection against script kiddies. Although I also agree that sigs for particular exploits lead only to a wrong sense of security due to the umpteen number of subtle changes in the exploit that could result in the sig not firing. -Deapesh. From frank at knobbe.us Thu Jan 7 14:44:05 2010 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 07 Jan 2010 13:44:05 -0600 Subject: [Emerging-Sigs] More Rules to Disable/Retire In-Reply-To: <22b0e07b1001071121k393e647ax44d8858ff73c8ac2@mail.gmail.com> References: <4B46268E.9060408@jonkmans.com> <4B4630B3.4020901@afferentsecurity.com> <22b0e07b1001071121k393e647ax44d8858ff73c8ac2@mail.gmail.com> Message-ID: <1262893445.49909.41.camel@localhost> On Thu, 2010-01-07 at 14:21 -0500, Deapesh Misra wrote: > Although I also agree that sigs for particular exploits lead only to a > wrong sense of security due to the umpteen number of subtle changes in > the exploit that could result in the sig not firing. But they are the best we had when the exploits were first making their rounds (in CURRENT). Those sigs should of course be replaced by more generic ones over time. But to respond quickly to first sightings, we'll always have specific sigs. Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/404952f8/attachment.bin From frank at knobbe.us Thu Jan 7 14:48:14 2010 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 07 Jan 2010 13:48:14 -0600 Subject: [Emerging-Sigs] Disable/retire In-Reply-To: References: <4B462363.1090306@jonkmans.com> Message-ID: <1262893694.49909.45.camel@localhost> On Thu, 2010-01-07 at 19:13 +0000, Kevin Ross wrote: > yeah good by me. If we start disabling stuff that is old and does not > fire then it can be enabled as people see fit (I know 2005 > vulnerabilities won't affect most people but there is always network > with tucked away machines that have never managed to be patched for > whatever reason. If a threat has completely passed though, i.e we > disable it and there is no issue and no traffic is seen again it can > probably be removed. Nice to have a clean up for the next decade of > threats :) Keep in mind that this is all a common baseline anyway. Every user of the Emerging-Threats rules should evaluate his needs, and enable/disable signatures based on his environment. The same applies to removals. -Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/5f674bfc/attachment.bin From kevross33 at googlemail.com Thu Jan 7 15:34:26 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 20:34:26 +0000 Subject: [Emerging-Sigs] More Rules to Disable/Retire In-Reply-To: <22b0e07b1001071121k393e647ax44d8858ff73c8ac2@mail.gmail.com> References: <4B46268E.9060408@jonkmans.com> <4B4630B3.4020901@afferentsecurity.com> <22b0e07b1001071121k393e647ax44d8858ff73c8ac2@mail.gmail.com> Message-ID: As much as possible we write signatures for vulnerabilities and not specific exploits and that catches all varieties for those that attack vulnerabilities, from metasploit to those that wrote the exploits the same. Metasploit is powerful though and makes script kiddies dangerous also. However, if there is no alternative then a metasploit specific rule may work for a while, it may even match the vulnerability perfectly. Metasploit though needs sigs though it is getting quite difficult in some regards, for instant it obfuscates, encrypts etc. For instance there are sigs for the meterpreter in attack response which worked fine and detected the meterpreter which is quite a stealthy payload in several regards. However as of the latest metasploit versions it is now encrypted making it more difficult. 2010/1/7 Deapesh Misra > > On 01/07/2010 12:23 PM, Matt Jonkman wrote: > > >>> # From 2005 and Metasploit Specific > >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT > Possible > >>> BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; > >>> content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; > >>> classtype: attempted-admin; > >>> reference:url,isc.sans.org/diary.php?date=2005-06-27 > >>> ; > >>> reference:url, > www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm > >>> < > http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm > >; > >>> reference:url,doc.emergingthreats.net/bin/view/Main/2002061 > >>> ; > >>> reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec > >>> < > http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec > >; > >>> sid:2002061; rev:4;) > >>> > >> Again, low load, but since it is specific to MSF we could consider > >> disabling. Thoughts? > >> > > Just a question: did we decide to get rid of MSF (which I guess stands > for Metasploit Framework) specific signatures? > > Some of these signatures are helpful IMHO, since at least in the > initial few days after an exploit has been released via Metasploit, > these sigs provide protection against script kiddies. > > Although I also agree that sigs for particular exploits lead only to a > wrong sense of security due to the umpteen number of subtle changes in > the exploit that could result in the sig not firing. > > -Deapesh. > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/dbfcd9ab/attachment.html From emerging at emergingthreats.net Thu Jan 7 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 7 Jan 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100107210013.916AD4504E@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Jan 7 16:00:13 2010 [***] [+++] Added rules: [+++] 2001686 - ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt (emerging-web_specific_apps.rules) 2009096 - ET TROJAN Tigger.a/Syzor Control Checkin (emerging-virus.rules) 2010560 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 (emerging-web_client.rules) 2010629 - ET CURRENT_EVENTS MySpace Spam Inbound (emerging-current_events.rules) [///] Modified active rules: [///] 2010565 - ET TROJAN Bebloh C&C HTTP POST (emerging-virus.rules) 2010566 - ET CURRENT_EVENTS Zbot update (av_base/pay.php) (emerging-current_events.rules) 2010567 - ET CURRENT_EVENTS Zbot update (av_base/ip.php) (emerging-current_events.rules) 2010568 - ET CURRENT_EVENTS Zbot update (av-i386-daily.zip) (emerging-current_events.rules) 2010569 - ET TROJAN Trojan Downloader Win32/Small.CBA download (emerging-virus.rules) 2406000 - ET RBN Known Russian Business Network IP TCP (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network IP UDP (1) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network IP TCP (2) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network IP UDP (2) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network IP TCP (3) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network IP UDP (3) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network IP TCP (4) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network IP UDP (4) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network IP TCP (5) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network IP UDP (5) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network IP TCP (6) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network IP UDP (6) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network IP TCP (7) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network IP UDP (7) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network IP TCP (8) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network IP UDP (8) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network IP TCP (9) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network IP UDP (9) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network IP TCP (10) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network IP UDP (10) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network IP TCP (11) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network IP UDP (11) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network IP TCP (12) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network IP UDP (12) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network IP TCP (13) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network IP UDP (13) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network IP TCP (14) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network IP UDP (14) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network IP TCP (15) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network IP UDP (15) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network IP TCP (16) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network IP UDP (16) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network IP TCP (17) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network IP UDP (17) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network IP TCP (18) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network IP UDP (18) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network IP TCP (19) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network IP UDP (19) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network IP TCP (20) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network IP UDP (20) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network IP TCP (21) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network IP UDP (21) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network IP TCP (22) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network IP UDP (22) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network IP TCP (23) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network IP UDP (23) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network IP TCP (24) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network IP UDP (24) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network IP TCP (25) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network IP UDP (25) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network IP TCP (26) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network IP UDP (26) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network IP TCP (27) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network IP UDP (27) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network IP TCP (28) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network IP UDP (28) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network IP TCP (29) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network IP UDP (29) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network IP TCP (30) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network IP UDP (30) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network IP TCP (31) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network IP UDP (31) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network IP TCP (32) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network IP UDP (32) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network IP TCP (33) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network IP UDP (33) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network IP TCP (34) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network IP UDP (34) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network IP TCP (35) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network IP UDP (35) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network IP TCP (36) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network IP UDP (36) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network IP TCP (37) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network IP UDP (37) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network IP TCP (38) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network IP UDP (38) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network IP TCP (39) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network IP UDP (39) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network IP TCP (40) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network IP UDP (40) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network IP TCP (41) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network IP UDP (41) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network IP TCP (42) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network IP UDP (42) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network IP TCP (43) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network IP UDP (43) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network IP TCP (44) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network IP UDP (44) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network IP TCP (45) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network IP UDP (45) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network IP TCP (46) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network IP UDP (46) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network IP TCP (47) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network IP UDP (47) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network IP TCP (48) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network IP UDP (48) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network IP TCP (49) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network IP UDP (49) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network IP TCP (50) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network IP UDP (50) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network IP TCP (51) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network IP UDP (51) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network IP TCP (52) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network IP UDP (52) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network IP TCP (53) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network IP UDP (53) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network IP TCP (54) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network IP UDP (54) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network IP TCP (55) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network IP UDP (55) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network IP TCP (56) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network IP UDP (56) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network IP TCP (57) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network IP UDP (57) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network IP TCP (58) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network IP UDP (58) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network IP TCP (59) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network IP UDP (59) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network IP TCP (60) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network IP UDP (60) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network IP TCP (61) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network IP UDP (61) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network IP TCP (62) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network IP UDP (62) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network IP TCP (63) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network IP UDP (63) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network IP TCP (64) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network IP UDP (64) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network IP TCP (65) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network IP UDP (65) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network IP TCP (66) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network IP UDP (66) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network IP TCP (67) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network IP UDP (67) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network IP TCP (68) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network IP UDP (68) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network IP TCP (69) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network IP UDP (69) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network IP TCP (70) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network IP UDP (70) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network IP TCP (71) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network IP UDP (71) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network IP TCP (72) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network IP UDP (72) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network IP TCP (73) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network IP UDP (73) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network IP TCP (74) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network IP UDP (74) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network IP TCP (75) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network IP UDP (75) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network IP TCP (76) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network IP UDP (76) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network IP TCP (77) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network IP UDP (77) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network IP TCP (78) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network IP UDP (78) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network IP TCP (79) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network IP UDP (79) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network IP TCP (80) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network IP UDP (80) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network IP TCP (81) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network IP UDP (81) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network IP TCP (82) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network IP UDP (82) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network IP TCP (83) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network IP UDP (83) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network IP TCP (84) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network IP UDP (84) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network IP TCP (85) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network IP UDP (85) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network IP TCP (86) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network IP UDP (86) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network IP TCP (87) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network IP UDP (87) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network IP TCP (88) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network IP UDP (88) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network IP TCP (89) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network IP UDP (89) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network IP TCP (90) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network IP UDP (90) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network IP TCP (91) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network IP UDP (91) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network IP TCP (92) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network IP UDP (92) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network IP TCP (93) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network IP UDP (93) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network IP TCP (94) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network IP UDP (94) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network IP TCP (95) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network IP UDP (95) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network IP TCP (96) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network IP UDP (96) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network IP TCP (97) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network IP UDP (97) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network IP TCP (98) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network IP UDP (98) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network IP TCP (99) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network IP UDP (99) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network IP TCP (100) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network IP UDP (100) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network IP TCP (101) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network IP UDP (101) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network IP TCP (102) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network IP UDP (102) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network IP TCP (103) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network IP UDP (103) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network IP TCP (104) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network IP UDP (104) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network IP TCP (105) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network IP UDP (105) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network IP TCP (106) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network IP UDP (106) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network IP TCP (107) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network IP UDP (107) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network IP TCP (108) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network IP UDP (108) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network IP TCP (109) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network IP UDP (109) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network IP TCP (110) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network IP UDP (110) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network IP TCP (111) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network IP UDP (111) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network IP TCP (112) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network IP UDP (112) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network IP TCP (113) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network IP UDP (113) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network IP TCP (114) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network IP UDP (114) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network IP TCP (115) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network IP UDP (115) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network IP TCP (116) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network IP UDP (116) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network IP TCP (117) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network IP UDP (117) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network IP TCP (118) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network IP UDP (118) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network IP TCP (119) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network IP UDP (119) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network IP TCP (120) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network IP UDP (120) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network IP TCP (121) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network IP UDP (121) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network IP TCP (122) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network IP UDP (122) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network IP TCP (123) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network IP UDP (123) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network IP TCP (124) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network IP UDP (124) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network IP TCP (125) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network IP UDP (125) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network IP TCP (126) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network IP UDP (126) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network IP TCP (127) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network IP UDP (127) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network IP TCP (128) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network IP UDP (128) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network IP TCP (129) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network IP UDP (129) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network IP TCP (130) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network IP UDP (130) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network IP TCP (131) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network IP UDP (131) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network IP TCP (132) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network IP UDP (132) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network IP TCP (133) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network IP UDP (133) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network IP TCP (134) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network IP UDP (134) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network IP TCP (135) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network IP UDP (135) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network IP TCP (136) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network IP UDP (136) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network IP TCP (137) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network IP UDP (137) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network IP TCP (138) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network IP UDP (138) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network IP TCP (139) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network IP UDP (139) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network IP TCP (140) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network IP UDP (140) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network IP TCP (141) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network IP UDP (141) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network IP TCP (142) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network IP UDP (142) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network IP TCP (143) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network IP UDP (143) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network IP TCP (144) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network IP UDP (144) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network IP TCP (145) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network IP UDP (145) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network IP TCP (146) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network IP UDP (146) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network IP TCP (147) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network IP UDP (147) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network IP TCP (148) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network IP UDP (148) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network IP TCP (149) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network IP UDP (149) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network IP TCP (150) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network IP UDP (150) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network IP TCP (151) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network IP UDP (151) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network IP TCP (152) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network IP UDP (152) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network IP TCP (153) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network IP UDP (153) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network IP TCP (154) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network IP UDP (154) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network IP TCP (155) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network IP UDP (155) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network IP TCP (156) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network IP UDP (156) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network IP TCP (157) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network IP UDP (157) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network IP TCP (158) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network IP UDP (158) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network IP TCP (159) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network IP UDP (159) (emerging-rbn.rules) 2406318 - ET RBN Known Russian Business Network IP TCP (160) (emerging-rbn.rules) 2406319 - ET RBN Known Russian Business Network IP UDP (160) (emerging-rbn.rules) 2406320 - ET RBN Known Russian Business Network IP TCP (161) (emerging-rbn.rules) 2406321 - ET RBN Known Russian Business Network IP UDP (161) (emerging-rbn.rules) 2406322 - ET RBN Known Russian Business Network IP TCP (162) (emerging-rbn.rules) 2406323 - ET RBN Known Russian Business Network IP UDP (162) (emerging-rbn.rules) 2406324 - ET RBN Known Russian Business Network IP TCP (163) (emerging-rbn.rules) 2406325 - ET RBN Known Russian Business Network IP UDP (163) (emerging-rbn.rules) 2406326 - ET RBN Known Russian Business Network IP TCP (164) (emerging-rbn.rules) 2406327 - ET RBN Known Russian Business Network IP UDP (164) (emerging-rbn.rules) 2406328 - ET RBN Known Russian Business Network IP TCP (165) (emerging-rbn.rules) 2406329 - ET RBN Known Russian Business Network IP UDP (165) (emerging-rbn.rules) 2406330 - ET RBN Known Russian Business Network IP TCP (166) (emerging-rbn.rules) 2406331 - ET RBN Known Russian Business Network IP UDP (166) (emerging-rbn.rules) 2406332 - ET RBN Known Russian Business Network IP TCP (167) (emerging-rbn.rules) 2406333 - ET RBN Known Russian Business Network IP UDP (167) (emerging-rbn.rules) 2406334 - ET RBN Known Russian Business Network IP TCP (168) (emerging-rbn.rules) 2406335 - ET RBN Known Russian Business Network IP UDP (168) (emerging-rbn.rules) 2406336 - ET RBN Known Russian Business Network IP TCP (169) (emerging-rbn.rules) 2406337 - ET RBN Known Russian Business Network IP UDP (169) (emerging-rbn.rules) 2406338 - ET RBN Known Russian Business Network IP TCP (170) (emerging-rbn.rules) 2406339 - ET RBN Known Russian Business Network IP UDP (170) (emerging-rbn.rules) 2406340 - ET RBN Known Russian Business Network IP TCP (171) (emerging-rbn.rules) 2406341 - ET RBN Known Russian Business Network IP UDP (171) (emerging-rbn.rules) 2406342 - ET RBN Known Russian Business Network IP TCP (172) (emerging-rbn.rules) 2406343 - ET RBN Known Russian Business Network IP UDP (172) (emerging-rbn.rules) 2406344 - ET RBN Known Russian Business Network IP TCP (173) (emerging-rbn.rules) 2406345 - ET RBN Known Russian Business Network IP UDP (173) (emerging-rbn.rules) 2406346 - ET RBN Known Russian Business Network IP TCP (174) (emerging-rbn.rules) 2406347 - ET RBN Known Russian Business Network IP UDP (174) (emerging-rbn.rules) 2406348 - ET RBN Known Russian Business Network IP TCP (175) (emerging-rbn.rules) 2406349 - ET RBN Known Russian Business Network IP UDP (175) (emerging-rbn.rules) 2406350 - ET RBN Known Russian Business Network IP TCP (176) (emerging-rbn.rules) 2406351 - ET RBN Known Russian Business Network IP UDP (176) (emerging-rbn.rules) 2406352 - ET RBN Known Russian Business Network IP TCP (177) (emerging-rbn.rules) 2406353 - ET RBN Known Russian Business Network IP UDP (177) (emerging-rbn.rules) 2406354 - ET RBN Known Russian Business Network IP TCP (178) (emerging-rbn.rules) 2406355 - ET RBN Known Russian Business Network IP UDP (178) (emerging-rbn.rules) 2406356 - ET RBN Known Russian Business Network IP TCP (179) (emerging-rbn.rules) 2406357 - ET RBN Known Russian Business Network IP UDP (179) (emerging-rbn.rules) 2406358 - ET RBN Known Russian Business Network IP TCP (180) (emerging-rbn.rules) 2406359 - ET RBN Known Russian Business Network IP UDP (180) (emerging-rbn.rules) 2406360 - ET RBN Known Russian Business Network IP TCP (181) (emerging-rbn.rules) 2406361 - ET RBN Known Russian Business Network IP UDP (181) (emerging-rbn.rules) 2406362 - ET RBN Known Russian Business Network IP TCP (182) (emerging-rbn.rules) 2406363 - ET RBN Known Russian Business Network IP UDP (182) (emerging-rbn.rules) 2406364 - ET RBN Known Russian Business Network IP TCP (183) (emerging-rbn.rules) 2406365 - ET RBN Known Russian Business Network IP UDP (183) (emerging-rbn.rules) 2406366 - ET RBN Known Russian Business Network IP TCP (184) (emerging-rbn.rules) 2406367 - ET RBN Known Russian Business Network IP UDP (184) (emerging-rbn.rules) 2406368 - ET RBN Known Russian Business Network IP TCP (185) (emerging-rbn.rules) 2406369 - ET RBN Known Russian Business Network IP UDP (185) (emerging-rbn.rules) 2406370 - ET RBN Known Russian Business Network IP TCP (186) (emerging-rbn.rules) 2406371 - ET RBN Known Russian Business Network IP UDP (186) (emerging-rbn.rules) 2406372 - ET RBN Known Russian Business Network IP TCP (187) (emerging-rbn.rules) 2406373 - ET RBN Known Russian Business Network IP UDP (187) (emerging-rbn.rules) 2406374 - ET RBN Known Russian Business Network IP TCP (188) (emerging-rbn.rules) 2406375 - ET RBN Known Russian Business Network IP UDP (188) (emerging-rbn.rules) 2406376 - ET RBN Known Russian Business Network IP TCP (189) (emerging-rbn.rules) 2406377 - ET RBN Known Russian Business Network IP UDP (189) (emerging-rbn.rules) 2406378 - ET RBN Known Russian Business Network IP TCP (190) (emerging-rbn.rules) 2406379 - ET RBN Known Russian Business Network IP UDP (190) (emerging-rbn.rules) 2406380 - ET RBN Known Russian Business Network IP TCP (191) (emerging-rbn.rules) 2406381 - ET RBN Known Russian Business Network IP UDP (191) (emerging-rbn.rules) 2406382 - ET RBN Known Russian Business Network IP TCP (192) (emerging-rbn.rules) 2406383 - ET RBN Known Russian Business Network IP UDP (192) (emerging-rbn.rules) 2406384 - ET RBN Known Russian Business Network IP TCP (193) (emerging-rbn.rules) 2406385 - ET RBN Known Russian Business Network IP UDP (193) (emerging-rbn.rules) 2406386 - ET RBN Known Russian Business Network IP TCP (194) (emerging-rbn.rules) 2406387 - ET RBN Known Russian Business Network IP UDP (194) (emerging-rbn.rules) 2406388 - ET RBN Known Russian Business Network IP TCP (195) (emerging-rbn.rules) 2406389 - ET RBN Known Russian Business Network IP UDP (195) (emerging-rbn.rules) 2406390 - ET RBN Known Russian Business Network IP TCP (196) (emerging-rbn.rules) 2406391 - ET RBN Known Russian Business Network IP UDP (196) (emerging-rbn.rules) 2406392 - ET RBN Known Russian Business Network IP TCP (197) (emerging-rbn.rules) 2406393 - ET RBN Known Russian Business Network IP UDP (197) (emerging-rbn.rules) 2406394 - ET RBN Known Russian Business Network IP TCP (198) (emerging-rbn.rules) 2406395 - ET RBN Known Russian Business Network IP UDP (198) (emerging-rbn.rules) 2406396 - ET RBN Known Russian Business Network IP TCP (199) (emerging-rbn.rules) 2406397 - ET RBN Known Russian Business Network IP UDP (199) (emerging-rbn.rules) 2406398 - ET RBN Known Russian Business Network IP TCP (200) (emerging-rbn.rules) 2406399 - ET RBN Known Russian Business Network IP UDP (200) (emerging-rbn.rules) 2406400 - ET RBN Known Russian Business Network IP TCP (201) (emerging-rbn.rules) 2406401 - ET RBN Known Russian Business Network IP UDP (201) (emerging-rbn.rules) 2406402 - ET RBN Known Russian Business Network IP TCP (202) (emerging-rbn.rules) 2406403 - ET RBN Known Russian Business Network IP UDP (202) (emerging-rbn.rules) 2406404 - ET RBN Known Russian Business Network IP TCP (203) (emerging-rbn.rules) 2406405 - ET RBN Known Russian Business Network IP UDP (203) (emerging-rbn.rules) 2406406 - ET RBN Known Russian Business Network IP TCP (204) (emerging-rbn.rules) 2406407 - ET RBN Known Russian Business Network IP UDP (204) (emerging-rbn.rules) 2406408 - ET RBN Known Russian Business Network IP TCP (205) (emerging-rbn.rules) 2406409 - ET RBN Known Russian Business Network IP UDP (205) (emerging-rbn.rules) 2406410 - ET RBN Known Russian Business Network IP TCP (206) (emerging-rbn.rules) 2406411 - ET RBN Known Russian Business Network IP UDP (206) (emerging-rbn.rules) 2406412 - ET RBN Known Russian Business Network IP TCP (207) (emerging-rbn.rules) 2406413 - ET RBN Known Russian Business Network IP UDP (207) (emerging-rbn.rules) 2406414 - ET RBN Known Russian Business Network IP TCP (208) (emerging-rbn.rules) 2406415 - ET RBN Known Russian Business Network IP UDP (208) (emerging-rbn.rules) 2406416 - ET RBN Known Russian Business Network IP TCP (209) (emerging-rbn.rules) 2406417 - ET RBN Known Russian Business Network IP UDP (209) (emerging-rbn.rules) 2406418 - ET RBN Known Russian Business Network IP TCP (210) (emerging-rbn.rules) 2406419 - ET RBN Known Russian Business Network IP UDP (210) (emerging-rbn.rules) 2406420 - ET RBN Known Russian Business Network IP TCP (211) (emerging-rbn.rules) 2406421 - ET RBN Known Russian Business Network IP UDP (211) (emerging-rbn.rules) 2406422 - ET RBN Known Russian Business Network IP TCP (212) (emerging-rbn.rules) 2406423 - ET RBN Known Russian Business Network IP UDP (212) (emerging-rbn.rules) 2406424 - ET RBN Known Russian Business Network IP TCP (213) (emerging-rbn.rules) 2406425 - ET RBN Known Russian Business Network IP UDP (213) (emerging-rbn.rules) 2406426 - ET RBN Known Russian Business Network IP TCP (214) (emerging-rbn.rules) 2406427 - ET RBN Known Russian Business Network IP UDP (214) (emerging-rbn.rules) 2406428 - ET RBN Known Russian Business Network IP TCP (215) (emerging-rbn.rules) 2406429 - ET RBN Known Russian Business Network IP UDP (215) (emerging-rbn.rules) 2406430 - ET RBN Known Russian Business Network IP TCP (216) (emerging-rbn.rules) 2406431 - ET RBN Known Russian Business Network IP UDP (216) (emerging-rbn.rules) 2406432 - ET RBN Known Russian Business Network IP TCP (217) (emerging-rbn.rules) 2406433 - ET RBN Known Russian Business Network IP UDP (217) (emerging-rbn.rules) 2406434 - ET RBN Known Russian Business Network IP TCP (218) (emerging-rbn.rules) 2406435 - ET RBN Known Russian Business Network IP UDP (218) (emerging-rbn.rules) 2406436 - ET RBN Known Russian Business Network IP TCP (219) (emerging-rbn.rules) 2406437 - ET RBN Known Russian Business Network IP UDP (219) (emerging-rbn.rules) 2406438 - ET RBN Known Russian Business Network IP TCP (220) (emerging-rbn.rules) 2406439 - ET RBN Known Russian Business Network IP UDP (220) (emerging-rbn.rules) 2406440 - ET RBN Known Russian Business Network IP TCP (221) (emerging-rbn.rules) 2406441 - ET RBN Known Russian Business Network IP UDP (221) (emerging-rbn.rules) 2406442 - ET RBN Known Russian Business Network IP TCP (222) (emerging-rbn.rules) 2406443 - ET RBN Known Russian Business Network IP UDP (222) (emerging-rbn.rules) 2406444 - ET RBN Known Russian Business Network IP TCP (223) (emerging-rbn.rules) 2406445 - ET RBN Known Russian Business Network IP UDP (223) (emerging-rbn.rules) 2406446 - ET RBN Known Russian Business Network IP TCP (224) (emerging-rbn.rules) 2406447 - ET RBN Known Russian Business Network IP UDP (224) (emerging-rbn.rules) 2406448 - ET RBN Known Russian Business Network IP TCP (225) (emerging-rbn.rules) 2406449 - ET RBN Known Russian Business Network IP UDP (225) (emerging-rbn.rules) 2406450 - ET RBN Known Russian Business Network IP TCP (226) (emerging-rbn.rules) 2406451 - ET RBN Known Russian Business Network IP UDP (226) (emerging-rbn.rules) 2406452 - ET RBN Known Russian Business Network IP TCP (227) (emerging-rbn.rules) 2406453 - ET RBN Known Russian Business Network IP UDP (227) (emerging-rbn.rules) 2406454 - ET RBN Known Russian Business Network IP TCP (228) (emerging-rbn.rules) 2406455 - ET RBN Known Russian Business Network IP UDP (228) (emerging-rbn.rules) 2406456 - ET RBN Known Russian Business Network IP TCP (229) (emerging-rbn.rules) 2406457 - ET RBN Known Russian Business Network IP UDP (229) (emerging-rbn.rules) 2406458 - ET RBN Known Russian Business Network IP TCP (230) (emerging-rbn.rules) 2406459 - ET RBN Known Russian Business Network IP UDP (230) (emerging-rbn.rules) 2406460 - ET RBN Known Russian Business Network IP TCP (231) (emerging-rbn.rules) 2406461 - ET RBN Known Russian Business Network IP UDP (231) (emerging-rbn.rules) 2406462 - ET RBN Known Russian Business Network IP TCP (232) (emerging-rbn.rules) 2406463 - ET RBN Known Russian Business Network IP UDP (232) (emerging-rbn.rules) 2406464 - ET RBN Known Russian Business Network IP TCP (233) (emerging-rbn.rules) 2406465 - ET RBN Known Russian Business Network IP UDP (233) (emerging-rbn.rules) 2406466 - ET RBN Known Russian Business Network IP TCP (234) (emerging-rbn.rules) 2406467 - ET RBN Known Russian Business Network IP UDP (234) (emerging-rbn.rules) 2406468 - ET RBN Known Russian Business Network IP TCP (235) (emerging-rbn.rules) 2406469 - ET RBN Known Russian Business Network IP UDP (235) (emerging-rbn.rules) 2406470 - ET RBN Known Russian Business Network IP TCP (236) (emerging-rbn.rules) 2406471 - ET RBN Known Russian Business Network IP UDP (236) (emerging-rbn.rules) 2406472 - ET RBN Known Russian Business Network IP TCP (237) (emerging-rbn.rules) 2406473 - ET RBN Known Russian Business Network IP UDP (237) (emerging-rbn.rules) 2406474 - ET RBN Known Russian Business Network IP TCP (238) (emerging-rbn.rules) 2406475 - ET RBN Known Russian Business Network IP UDP (238) (emerging-rbn.rules) 2406476 - ET RBN Known Russian Business Network IP TCP (239) (emerging-rbn.rules) 2406477 - ET RBN Known Russian Business Network IP UDP (239) (emerging-rbn.rules) 2406478 - ET RBN Known Russian Business Network IP TCP (240) (emerging-rbn.rules) 2406479 - ET RBN Known Russian Business Network IP UDP (240) (emerging-rbn.rules) 2406480 - ET RBN Known Russian Business Network IP TCP (241) (emerging-rbn.rules) 2406481 - ET RBN Known Russian Business Network IP UDP (241) (emerging-rbn.rules) 2406482 - ET RBN Known Russian Business Network IP TCP (242) (emerging-rbn.rules) 2406483 - ET RBN Known Russian Business Network IP UDP (242) (emerging-rbn.rules) 2406484 - ET RBN Known Russian Business Network IP TCP (243) (emerging-rbn.rules) 2406485 - ET RBN Known Russian Business Network IP UDP (243) (emerging-rbn.rules) 2406486 - ET RBN Known Russian Business Network IP TCP (244) (emerging-rbn.rules) 2406487 - ET RBN Known Russian Business Network IP UDP (244) (emerging-rbn.rules) 2406488 - ET RBN Known Russian Business Network IP TCP (245) (emerging-rbn.rules) 2406489 - ET RBN Known Russian Business Network IP UDP (245) (emerging-rbn.rules) 2406490 - ET RBN Known Russian Business Network IP TCP (246) (emerging-rbn.rules) 2406491 - ET RBN Known Russian Business Network IP UDP (246) (emerging-rbn.rules) 2406492 - ET RBN Known Russian Business Network IP TCP (247) (emerging-rbn.rules) 2406493 - ET RBN Known Russian Business Network IP UDP (247) (emerging-rbn.rules) 2406494 - ET RBN Known Russian Business Network IP TCP (248) (emerging-rbn.rules) 2406495 - ET RBN Known Russian Business Network IP UDP (248) (emerging-rbn.rules) 2406496 - ET RBN Known Russian Business Network IP TCP (249) (emerging-rbn.rules) 2406497 - ET RBN Known Russian Business Network IP UDP (249) (emerging-rbn.rules) 2406498 - ET RBN Known Russian Business Network IP TCP (250) (emerging-rbn.rules) 2406499 - ET RBN Known Russian Business Network IP UDP (250) (emerging-rbn.rules) 2406500 - ET RBN Known Russian Business Network IP TCP (251) (emerging-rbn.rules) 2406501 - ET RBN Known Russian Business Network IP UDP (251) (emerging-rbn.rules) 2406502 - ET RBN Known Russian Business Network IP TCP (252) (emerging-rbn.rules) 2406503 - ET RBN Known Russian Business Network IP UDP (252) (emerging-rbn.rules) 2406504 - ET RBN Known Russian Business Network IP TCP (253) (emerging-rbn.rules) 2406505 - ET RBN Known Russian Business Network IP UDP (253) (emerging-rbn.rules) 2406506 - ET RBN Known Russian Business Network IP TCP (254) (emerging-rbn.rules) 2406507 - ET RBN Known Russian Business Network IP UDP (254) (emerging-rbn.rules) 2406508 - ET RBN Known Russian Business Network IP TCP (255) (emerging-rbn.rules) 2406509 - ET RBN Known Russian Business Network IP UDP (255) (emerging-rbn.rules) 2406510 - ET RBN Known Russian Business Network IP TCP (256) (emerging-rbn.rules) 2406511 - ET RBN Known Russian Business Network IP UDP (256) (emerging-rbn.rules) 2406512 - ET RBN Known Russian Business Network IP TCP (257) (emerging-rbn.rules) 2406513 - ET RBN Known Russian Business Network IP UDP (257) (emerging-rbn.rules) 2406514 - ET RBN Known Russian Business Network IP TCP (258) (emerging-rbn.rules) 2406515 - ET RBN Known Russian Business Network IP UDP (258) (emerging-rbn.rules) 2406516 - ET RBN Known Russian Business Network IP TCP (259) (emerging-rbn.rules) 2406517 - ET RBN Known Russian Business Network IP UDP (259) (emerging-rbn.rules) 2406518 - ET RBN Known Russian Business Network IP TCP (260) (emerging-rbn.rules) 2406519 - ET RBN Known Russian Business Network IP UDP (260) (emerging-rbn.rules) 2406520 - ET RBN Known Russian Business Network IP TCP (261) (emerging-rbn.rules) 2406521 - ET RBN Known Russian Business Network IP UDP (261) (emerging-rbn.rules) 2406522 - ET RBN Known Russian Business Network IP TCP (262) (emerging-rbn.rules) 2406523 - ET RBN Known Russian Business Network IP UDP (262) (emerging-rbn.rules) 2406524 - ET RBN Known Russian Business Network IP TCP (263) (emerging-rbn.rules) 2406525 - ET RBN Known Russian Business Network IP UDP (263) (emerging-rbn.rules) 2406526 - ET RBN Known Russian Business Network IP TCP (264) (emerging-rbn.rules) 2406527 - ET RBN Known Russian Business Network IP UDP (264) (emerging-rbn.rules) 2406528 - ET RBN Known Russian Business Network IP TCP (265) (emerging-rbn.rules) 2406529 - ET RBN Known Russian Business Network IP UDP (265) (emerging-rbn.rules) 2406530 - ET RBN Known Russian Business Network IP TCP (266) (emerging-rbn.rules) 2406531 - ET RBN Known Russian Business Network IP UDP (266) (emerging-rbn.rules) 2406532 - ET RBN Known Russian Business Network IP TCP (267) (emerging-rbn.rules) 2406533 - ET RBN Known Russian Business Network IP UDP (267) (emerging-rbn.rules) 2406534 - ET RBN Known Russian Business Network IP TCP (268) (emerging-rbn.rules) 2406535 - ET RBN Known Russian Business Network IP UDP (268) (emerging-rbn.rules) 2406536 - ET RBN Known Russian Business Network IP TCP (269) (emerging-rbn.rules) 2406537 - ET RBN Known Russian Business Network IP UDP (269) (emerging-rbn.rules) 2406538 - ET RBN Known Russian Business Network IP TCP (270) (emerging-rbn.rules) 2406539 - ET RBN Known Russian Business Network IP UDP (270) (emerging-rbn.rules) 2406540 - ET RBN Known Russian Business Network IP TCP (271) (emerging-rbn.rules) 2406541 - ET RBN Known Russian Business Network IP UDP (271) (emerging-rbn.rules) 2406542 - ET RBN Known Russian Business Network IP TCP (272) (emerging-rbn.rules) 2406543 - ET RBN Known Russian Business Network IP UDP (272) (emerging-rbn.rules) 2406544 - ET RBN Known Russian Business Network IP TCP (273) (emerging-rbn.rules) 2406545 - ET RBN Known Russian Business Network IP UDP (273) (emerging-rbn.rules) 2406546 - ET RBN Known Russian Business Network IP TCP (274) (emerging-rbn.rules) 2406547 - ET RBN Known Russian Business Network IP UDP (274) (emerging-rbn.rules) 2406548 - ET RBN Known Russian Business Network IP TCP (275) (emerging-rbn.rules) 2406549 - ET RBN Known Russian Business Network IP UDP (275) (emerging-rbn.rules) 2406550 - ET RBN Known Russian Business Network IP TCP (276) (emerging-rbn.rules) 2406551 - ET RBN Known Russian Business Network IP UDP (276) (emerging-rbn.rules) 2406552 - ET RBN Known Russian Business Network IP TCP (277) (emerging-rbn.rules) 2406553 - ET RBN Known Russian Business Network IP UDP (277) (emerging-rbn.rules) 2406554 - ET RBN Known Russian Business Network IP TCP (278) (emerging-rbn.rules) 2406555 - ET RBN Known Russian Business Network IP UDP (278) (emerging-rbn.rules) 2406556 - ET RBN Known Russian Business Network IP TCP (279) (emerging-rbn.rules) 2406557 - ET RBN Known Russian Business Network IP UDP (279) (emerging-rbn.rules) 2406558 - ET RBN Known Russian Business Network IP TCP (280) (emerging-rbn.rules) 2406559 - ET RBN Known Russian Business Network IP UDP (280) (emerging-rbn.rules) 2406560 - ET RBN Known Russian Business Network IP TCP (281) (emerging-rbn.rules) 2406561 - ET RBN Known Russian Business Network IP UDP (281) (emerging-rbn.rules) 2406562 - ET RBN Known Russian Business Network IP TCP (282) (emerging-rbn.rules) 2406563 - ET RBN Known Russian Business Network IP UDP (282) (emerging-rbn.rules) 2406564 - ET RBN Known Russian Business Network IP TCP (283) (emerging-rbn.rules) 2406565 - ET RBN Known Russian Business Network IP UDP (283) (emerging-rbn.rules) 2406566 - ET RBN Known Russian Business Network IP TCP (284) (emerging-rbn.rules) 2406567 - ET RBN Known Russian Business Network IP UDP (284) (emerging-rbn.rules) 2406568 - ET RBN Known Russian Business Network IP TCP (285) (emerging-rbn.rules) 2406569 - ET RBN Known Russian Business Network IP UDP (285) (emerging-rbn.rules) 2406570 - ET RBN Known Russian Business Network IP TCP (286) (emerging-rbn.rules) 2406571 - ET RBN Known Russian Business Network IP UDP (286) (emerging-rbn.rules) 2406572 - ET RBN Known Russian Business Network IP TCP (287) (emerging-rbn.rules) 2406573 - ET RBN Known Russian Business Network IP UDP (287) (emerging-rbn.rules) 2406574 - ET RBN Known Russian Business Network IP TCP (288) (emerging-rbn.rules) 2406575 - ET RBN Known Russian Business Network IP UDP (288) (emerging-rbn.rules) 2406576 - ET RBN Known Russian Business Network IP TCP (289) (emerging-rbn.rules) 2406577 - ET RBN Known Russian Business Network IP UDP (289) (emerging-rbn.rules) 2406578 - ET RBN Known Russian Business Network IP TCP (290) (emerging-rbn.rules) 2406579 - ET RBN Known Russian Business Network IP UDP (290) (emerging-rbn.rules) 2406580 - ET RBN Known Russian Business Network IP TCP (291) (emerging-rbn.rules) 2406581 - ET RBN Known Russian Business Network IP UDP (291) (emerging-rbn.rules) 2406582 - ET RBN Known Russian Business Network IP TCP (292) (emerging-rbn.rules) 2406583 - ET RBN Known Russian Business Network IP UDP (292) (emerging-rbn.rules) 2406584 - ET RBN Known Russian Business Network IP TCP (293) (emerging-rbn.rules) 2406585 - ET RBN Known Russian Business Network IP UDP (293) (emerging-rbn.rules) 2406586 - ET RBN Known Russian Business Network IP TCP (294) (emerging-rbn.rules) 2406587 - ET RBN Known Russian Business Network IP UDP (294) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network IP TCP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network IP UDP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network IP TCP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network IP UDP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network IP TCP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network IP UDP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network IP TCP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network IP UDP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network IP TCP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network IP UDP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network IP TCP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network IP UDP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network IP TCP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network IP UDP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network IP TCP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network IP UDP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network IP TCP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network IP UDP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network IP TCP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network IP UDP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network IP TCP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network IP UDP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network IP TCP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network IP UDP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network IP TCP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network IP UDP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network IP TCP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network IP UDP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network IP TCP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network IP UDP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network IP TCP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network IP UDP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network IP TCP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network IP UDP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network IP TCP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network IP UDP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network IP TCP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network IP UDP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network IP TCP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network IP UDP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network IP TCP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network IP UDP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network IP TCP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network IP UDP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network IP TCP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network IP UDP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network IP TCP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network IP UDP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network IP TCP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network IP UDP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network IP TCP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network IP UDP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network IP TCP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network IP UDP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network IP TCP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network IP UDP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network IP TCP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network IP UDP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network IP TCP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network IP UDP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network IP TCP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network IP UDP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network IP TCP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network IP UDP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network IP TCP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network IP UDP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network IP TCP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network IP UDP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network IP TCP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network IP UDP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network IP TCP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network IP UDP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network IP TCP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network IP UDP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network IP TCP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network IP UDP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network IP TCP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network IP UDP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network IP TCP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network IP UDP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network IP TCP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network IP UDP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network IP TCP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network IP UDP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network IP TCP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network IP UDP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network IP TCP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network IP UDP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network IP TCP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network IP UDP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network IP TCP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network IP UDP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network IP TCP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network IP UDP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network IP TCP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network IP UDP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network IP TCP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network IP UDP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network IP TCP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network IP UDP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network IP TCP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network IP UDP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network IP TCP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network IP UDP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network IP TCP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network IP UDP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network IP TCP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network IP UDP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network IP TCP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network IP UDP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network IP TCP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network IP UDP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network IP TCP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network IP UDP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network IP TCP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network IP UDP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network IP TCP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network IP UDP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network IP TCP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network IP UDP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network IP TCP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network IP UDP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network IP TCP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network IP UDP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network IP TCP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network IP UDP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network IP TCP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network IP UDP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network IP TCP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network IP UDP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network IP TCP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network IP UDP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network IP TCP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network IP UDP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network IP TCP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network IP UDP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network IP TCP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network IP UDP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network IP TCP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network IP UDP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network IP TCP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network IP UDP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network IP TCP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network IP UDP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network IP TCP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network IP UDP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network IP TCP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network IP UDP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network IP TCP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network IP UDP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network IP TCP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network IP UDP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network IP TCP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network IP UDP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network IP TCP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network IP UDP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network IP TCP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network IP UDP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network IP TCP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network IP UDP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network IP TCP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network IP UDP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network IP TCP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network IP UDP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network IP TCP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network IP UDP - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network IP TCP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network IP UDP - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network IP TCP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network IP UDP - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network IP TCP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network IP UDP - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network IP TCP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network IP UDP - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network IP TCP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network IP UDP - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network IP TCP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network IP UDP - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network IP TCP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network IP UDP - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network IP TCP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network IP UDP - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network IP TCP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network IP UDP - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network IP TCP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network IP UDP - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network IP TCP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network IP UDP - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network IP TCP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network IP UDP - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network IP TCP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network IP UDP - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network IP TCP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network IP UDP - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network IP TCP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network IP UDP - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network IP TCP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network IP UDP - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network IP TCP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network IP UDP - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network IP TCP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network IP UDP - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network IP TCP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network IP UDP - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network IP TCP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network IP UDP - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network IP TCP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network IP UDP - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network IP TCP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network IP UDP - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network IP TCP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network IP UDP - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network IP TCP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network IP UDP - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network IP TCP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network IP UDP - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network IP TCP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network IP UDP - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network IP TCP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network IP UDP - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network IP TCP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network IP UDP - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network IP TCP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network IP UDP - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network IP TCP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network IP UDP - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network IP TCP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network IP UDP - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network IP TCP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network IP UDP - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network IP TCP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network IP UDP - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network IP TCP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network IP UDP - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network IP TCP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network IP UDP - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network IP TCP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network IP UDP - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network IP TCP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network IP UDP - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network IP TCP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network IP UDP - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network IP TCP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network IP UDP - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network IP TCP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network IP UDP - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network IP TCP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network IP UDP - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network IP TCP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network IP UDP - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network IP TCP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network IP UDP - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network IP TCP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network IP UDP - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network IP TCP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network IP UDP - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network IP TCP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network IP UDP - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network IP TCP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network IP UDP - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network IP TCP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network IP UDP - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network IP TCP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network IP UDP - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network IP TCP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network IP UDP - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network IP TCP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network IP UDP - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network IP TCP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network IP UDP - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network IP TCP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network IP UDP - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network IP TCP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network IP UDP - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network IP TCP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network IP UDP - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network IP TCP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network IP UDP - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network IP TCP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network IP UDP - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network IP TCP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network IP UDP - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network IP TCP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network IP UDP - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network IP TCP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network IP UDP - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network IP TCP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network IP UDP - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network IP TCP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network IP UDP - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network IP TCP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network IP UDP - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network IP TCP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network IP UDP - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network IP TCP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network IP UDP - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network IP TCP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network IP UDP - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network IP TCP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network IP UDP - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network IP TCP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network IP UDP - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network IP TCP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network IP UDP - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network IP TCP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network IP UDP - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network IP TCP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network IP UDP - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network IP TCP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network IP UDP - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network IP TCP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network IP UDP - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network IP TCP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network IP UDP - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network IP TCP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network IP UDP - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network IP TCP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407317 - ET RBN Known Russian Business Network IP UDP - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407318 - ET RBN Known Russian Business Network IP TCP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407319 - ET RBN Known Russian Business Network IP UDP - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407320 - ET RBN Known Russian Business Network IP TCP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407321 - ET RBN Known Russian Business Network IP UDP - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407322 - ET RBN Known Russian Business Network IP TCP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407323 - ET RBN Known Russian Business Network IP UDP - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407324 - ET RBN Known Russian Business Network IP TCP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407325 - ET RBN Known Russian Business Network IP UDP - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407326 - ET RBN Known Russian Business Network IP TCP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407327 - ET RBN Known Russian Business Network IP UDP - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407328 - ET RBN Known Russian Business Network IP TCP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407329 - ET RBN Known Russian Business Network IP UDP - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407330 - ET RBN Known Russian Business Network IP TCP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407331 - ET RBN Known Russian Business Network IP UDP - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407332 - ET RBN Known Russian Business Network IP TCP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407333 - ET RBN Known Russian Business Network IP UDP - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407334 - ET RBN Known Russian Business Network IP TCP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407335 - ET RBN Known Russian Business Network IP UDP - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407336 - ET RBN Known Russian Business Network IP TCP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407337 - ET RBN Known Russian Business Network IP UDP - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407338 - ET RBN Known Russian Business Network IP TCP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407339 - ET RBN Known Russian Business Network IP UDP - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407340 - ET RBN Known Russian Business Network IP TCP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407341 - ET RBN Known Russian Business Network IP UDP - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407342 - ET RBN Known Russian Business Network IP TCP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407343 - ET RBN Known Russian Business Network IP UDP - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407344 - ET RBN Known Russian Business Network IP TCP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407345 - ET RBN Known Russian Business Network IP UDP - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407346 - ET RBN Known Russian Business Network IP TCP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407347 - ET RBN Known Russian Business Network IP UDP - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407348 - ET RBN Known Russian Business Network IP TCP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407349 - ET RBN Known Russian Business Network IP UDP - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407350 - ET RBN Known Russian Business Network IP TCP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407351 - ET RBN Known Russian Business Network IP UDP - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407352 - ET RBN Known Russian Business Network IP TCP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407353 - ET RBN Known Russian Business Network IP UDP - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407354 - ET RBN Known Russian Business Network IP TCP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407355 - ET RBN Known Russian Business Network IP UDP - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407356 - ET RBN Known Russian Business Network IP TCP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407357 - ET RBN Known Russian Business Network IP UDP - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407358 - ET RBN Known Russian Business Network IP TCP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407359 - ET RBN Known Russian Business Network IP UDP - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407360 - ET RBN Known Russian Business Network IP TCP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407361 - ET RBN Known Russian Business Network IP UDP - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407362 - ET RBN Known Russian Business Network IP TCP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407363 - ET RBN Known Russian Business Network IP UDP - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407364 - ET RBN Known Russian Business Network IP TCP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407365 - ET RBN Known Russian Business Network IP UDP - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407366 - ET RBN Known Russian Business Network IP TCP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407367 - ET RBN Known Russian Business Network IP UDP - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407368 - ET RBN Known Russian Business Network IP TCP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407369 - ET RBN Known Russian Business Network IP UDP - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407370 - ET RBN Known Russian Business Network IP TCP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407371 - ET RBN Known Russian Business Network IP UDP - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407372 - ET RBN Known Russian Business Network IP TCP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407373 - ET RBN Known Russian Business Network IP UDP - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407374 - ET RBN Known Russian Business Network IP TCP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407375 - ET RBN Known Russian Business Network IP UDP - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407376 - ET RBN Known Russian Business Network IP TCP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407377 - ET RBN Known Russian Business Network IP UDP - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407378 - ET RBN Known Russian Business Network IP TCP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407379 - ET RBN Known Russian Business Network IP UDP - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407380 - ET RBN Known Russian Business Network IP TCP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407381 - ET RBN Known Russian Business Network IP UDP - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407382 - ET RBN Known Russian Business Network IP TCP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407383 - ET RBN Known Russian Business Network IP UDP - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407384 - ET RBN Known Russian Business Network IP TCP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407385 - ET RBN Known Russian Business Network IP UDP - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407386 - ET RBN Known Russian Business Network IP TCP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407387 - ET RBN Known Russian Business Network IP UDP - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407388 - ET RBN Known Russian Business Network IP TCP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407389 - ET RBN Known Russian Business Network IP UDP - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407390 - ET RBN Known Russian Business Network IP TCP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407391 - ET RBN Known Russian Business Network IP UDP - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407392 - ET RBN Known Russian Business Network IP TCP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407393 - ET RBN Known Russian Business Network IP UDP - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407394 - ET RBN Known Russian Business Network IP TCP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407395 - ET RBN Known Russian Business Network IP UDP - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407396 - ET RBN Known Russian Business Network IP TCP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407397 - ET RBN Known Russian Business Network IP UDP - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407398 - ET RBN Known Russian Business Network IP TCP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407399 - ET RBN Known Russian Business Network IP UDP - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407400 - ET RBN Known Russian Business Network IP TCP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407401 - ET RBN Known Russian Business Network IP UDP - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407402 - ET RBN Known Russian Business Network IP TCP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407403 - ET RBN Known Russian Business Network IP UDP - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407404 - ET RBN Known Russian Business Network IP TCP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407405 - ET RBN Known Russian Business Network IP UDP - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407406 - ET RBN Known Russian Business Network IP TCP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407407 - ET RBN Known Russian Business Network IP UDP - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407408 - ET RBN Known Russian Business Network IP TCP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407409 - ET RBN Known Russian Business Network IP UDP - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407410 - ET RBN Known Russian Business Network IP TCP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407411 - ET RBN Known Russian Business Network IP UDP - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407412 - ET RBN Known Russian Business Network IP TCP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407413 - ET RBN Known Russian Business Network IP UDP - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407414 - ET RBN Known Russian Business Network IP TCP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407415 - ET RBN Known Russian Business Network IP UDP - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407416 - ET RBN Known Russian Business Network IP TCP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407417 - ET RBN Known Russian Business Network IP UDP - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407418 - ET RBN Known Russian Business Network IP TCP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407419 - ET RBN Known Russian Business Network IP UDP - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407420 - ET RBN Known Russian Business Network IP TCP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407421 - ET RBN Known Russian Business Network IP UDP - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407422 - ET RBN Known Russian Business Network IP TCP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407423 - ET RBN Known Russian Business Network IP UDP - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407424 - ET RBN Known Russian Business Network IP TCP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407425 - ET RBN Known Russian Business Network IP UDP - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407426 - ET RBN Known Russian Business Network IP TCP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407427 - ET RBN Known Russian Business Network IP UDP - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407428 - ET RBN Known Russian Business Network IP TCP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407429 - ET RBN Known Russian Business Network IP UDP - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407430 - ET RBN Known Russian Business Network IP TCP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407431 - ET RBN Known Russian Business Network IP UDP - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407432 - ET RBN Known Russian Business Network IP TCP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407433 - ET RBN Known Russian Business Network IP UDP - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407434 - ET RBN Known Russian Business Network IP TCP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407435 - ET RBN Known Russian Business Network IP UDP - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407436 - ET RBN Known Russian Business Network IP TCP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407437 - ET RBN Known Russian Business Network IP UDP - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407438 - ET RBN Known Russian Business Network IP TCP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407439 - ET RBN Known Russian Business Network IP UDP - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407440 - ET RBN Known Russian Business Network IP TCP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407441 - ET RBN Known Russian Business Network IP UDP - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407442 - ET RBN Known Russian Business Network IP TCP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407443 - ET RBN Known Russian Business Network IP UDP - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407444 - ET RBN Known Russian Business Network IP TCP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407445 - ET RBN Known Russian Business Network IP UDP - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407446 - ET RBN Known Russian Business Network IP TCP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407447 - ET RBN Known Russian Business Network IP UDP - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407448 - ET RBN Known Russian Business Network IP TCP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407449 - ET RBN Known Russian Business Network IP UDP - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407450 - ET RBN Known Russian Business Network IP TCP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407451 - ET RBN Known Russian Business Network IP UDP - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407452 - ET RBN Known Russian Business Network IP TCP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407453 - ET RBN Known Russian Business Network IP UDP - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407454 - ET RBN Known Russian Business Network IP TCP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407455 - ET RBN Known Russian Business Network IP UDP - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407456 - ET RBN Known Russian Business Network IP TCP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407457 - ET RBN Known Russian Business Network IP UDP - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407458 - ET RBN Known Russian Business Network IP TCP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407459 - ET RBN Known Russian Business Network IP UDP - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407460 - ET RBN Known Russian Business Network IP TCP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407461 - ET RBN Known Russian Business Network IP UDP - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407462 - ET RBN Known Russian Business Network IP TCP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407463 - ET RBN Known Russian Business Network IP UDP - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407464 - ET RBN Known Russian Business Network IP TCP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407465 - ET RBN Known Russian Business Network IP UDP - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407466 - ET RBN Known Russian Business Network IP TCP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407467 - ET RBN Known Russian Business Network IP UDP - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407468 - ET RBN Known Russian Business Network IP TCP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407469 - ET RBN Known Russian Business Network IP UDP - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407470 - ET RBN Known Russian Business Network IP TCP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407471 - ET RBN Known Russian Business Network IP UDP - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407472 - ET RBN Known Russian Business Network IP TCP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407473 - ET RBN Known Russian Business Network IP UDP - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407474 - ET RBN Known Russian Business Network IP TCP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407475 - ET RBN Known Russian Business Network IP UDP - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407476 - ET RBN Known Russian Business Network IP TCP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407477 - ET RBN Known Russian Business Network IP UDP - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407478 - ET RBN Known Russian Business Network IP TCP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407479 - ET RBN Known Russian Business Network IP UDP - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407480 - ET RBN Known Russian Business Network IP TCP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407481 - ET RBN Known Russian Business Network IP UDP - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407482 - ET RBN Known Russian Business Network IP TCP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407483 - ET RBN Known Russian Business Network IP UDP - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407484 - ET RBN Known Russian Business Network IP TCP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407485 - ET RBN Known Russian Business Network IP UDP - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407486 - ET RBN Known Russian Business Network IP TCP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407487 - ET RBN Known Russian Business Network IP UDP - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407488 - ET RBN Known Russian Business Network IP TCP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407489 - ET RBN Known Russian Business Network IP UDP - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407490 - ET RBN Known Russian Business Network IP TCP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407491 - ET RBN Known Russian Business Network IP UDP - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407492 - ET RBN Known Russian Business Network IP TCP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407493 - ET RBN Known Russian Business Network IP UDP - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407494 - ET RBN Known Russian Business Network IP TCP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407495 - ET RBN Known Russian Business Network IP UDP - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407496 - ET RBN Known Russian Business Network IP TCP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407497 - ET RBN Known Russian Business Network IP UDP - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407498 - ET RBN Known Russian Business Network IP TCP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407499 - ET RBN Known Russian Business Network IP UDP - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407500 - ET RBN Known Russian Business Network IP TCP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407501 - ET RBN Known Russian Business Network IP UDP - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407502 - ET RBN Known Russian Business Network IP TCP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407503 - ET RBN Known Russian Business Network IP UDP - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407504 - ET RBN Known Russian Business Network IP TCP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407505 - ET RBN Known Russian Business Network IP UDP - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407506 - ET RBN Known Russian Business Network IP TCP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407507 - ET RBN Known Russian Business Network IP UDP - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407508 - ET RBN Known Russian Business Network IP TCP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407509 - ET RBN Known Russian Business Network IP UDP - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407510 - ET RBN Known Russian Business Network IP TCP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407511 - ET RBN Known Russian Business Network IP UDP - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407512 - ET RBN Known Russian Business Network IP TCP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407513 - ET RBN Known Russian Business Network IP UDP - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407514 - ET RBN Known Russian Business Network IP TCP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407515 - ET RBN Known Russian Business Network IP UDP - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407516 - ET RBN Known Russian Business Network IP TCP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407517 - ET RBN Known Russian Business Network IP UDP - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407518 - ET RBN Known Russian Business Network IP TCP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407519 - ET RBN Known Russian Business Network IP UDP - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407520 - ET RBN Known Russian Business Network IP TCP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407521 - ET RBN Known Russian Business Network IP UDP - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407522 - ET RBN Known Russian Business Network IP TCP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407523 - ET RBN Known Russian Business Network IP UDP - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407524 - ET RBN Known Russian Business Network IP TCP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407525 - ET RBN Known Russian Business Network IP UDP - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407526 - ET RBN Known Russian Business Network IP TCP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407527 - ET RBN Known Russian Business Network IP UDP - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407528 - ET RBN Known Russian Business Network IP TCP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407529 - ET RBN Known Russian Business Network IP UDP - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407530 - ET RBN Known Russian Business Network IP TCP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407531 - ET RBN Known Russian Business Network IP UDP - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407532 - ET RBN Known Russian Business Network IP TCP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407533 - ET RBN Known Russian Business Network IP UDP - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407534 - ET RBN Known Russian Business Network IP TCP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407535 - ET RBN Known Russian Business Network IP UDP - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407536 - ET RBN Known Russian Business Network IP TCP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407537 - ET RBN Known Russian Business Network IP UDP - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407538 - ET RBN Known Russian Business Network IP TCP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407539 - ET RBN Known Russian Business Network IP UDP - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407540 - ET RBN Known Russian Business Network IP TCP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407541 - ET RBN Known Russian Business Network IP UDP - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407542 - ET RBN Known Russian Business Network IP TCP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407543 - ET RBN Known Russian Business Network IP UDP - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407544 - ET RBN Known Russian Business Network IP TCP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407545 - ET RBN Known Russian Business Network IP UDP - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407546 - ET RBN Known Russian Business Network IP TCP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407547 - ET RBN Known Russian Business Network IP UDP - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407548 - ET RBN Known Russian Business Network IP TCP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407549 - ET RBN Known Russian Business Network IP UDP - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407550 - ET RBN Known Russian Business Network IP TCP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407551 - ET RBN Known Russian Business Network IP UDP - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407552 - ET RBN Known Russian Business Network IP TCP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407553 - ET RBN Known Russian Business Network IP UDP - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407554 - ET RBN Known Russian Business Network IP TCP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407555 - ET RBN Known Russian Business Network IP UDP - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407556 - ET RBN Known Russian Business Network IP TCP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407557 - ET RBN Known Russian Business Network IP UDP - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407558 - ET RBN Known Russian Business Network IP TCP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407559 - ET RBN Known Russian Business Network IP UDP - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407560 - ET RBN Known Russian Business Network IP TCP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407561 - ET RBN Known Russian Business Network IP UDP - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407562 - ET RBN Known Russian Business Network IP TCP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407563 - ET RBN Known Russian Business Network IP UDP - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407564 - ET RBN Known Russian Business Network IP TCP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407565 - ET RBN Known Russian Business Network IP UDP - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407566 - ET RBN Known Russian Business Network IP TCP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407567 - ET RBN Known Russian Business Network IP UDP - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407568 - ET RBN Known Russian Business Network IP TCP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407569 - ET RBN Known Russian Business Network IP UDP - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407570 - ET RBN Known Russian Business Network IP TCP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407571 - ET RBN Known Russian Business Network IP UDP - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407572 - ET RBN Known Russian Business Network IP TCP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407573 - ET RBN Known Russian Business Network IP UDP - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407574 - ET RBN Known Russian Business Network IP TCP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407575 - ET RBN Known Russian Business Network IP UDP - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407576 - ET RBN Known Russian Business Network IP TCP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407577 - ET RBN Known Russian Business Network IP UDP - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407578 - ET RBN Known Russian Business Network IP TCP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407579 - ET RBN Known Russian Business Network IP UDP - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407580 - ET RBN Known Russian Business Network IP TCP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407581 - ET RBN Known Russian Business Network IP UDP - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407582 - ET RBN Known Russian Business Network IP TCP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407583 - ET RBN Known Russian Business Network IP UDP - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407584 - ET RBN Known Russian Business Network IP TCP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407585 - ET RBN Known Russian Business Network IP UDP - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407586 - ET RBN Known Russian Business Network IP TCP - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407587 - ET RBN Known Russian Business Network IP UDP - BLOCKING (294) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2001363 - ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt (emerging-exploit.rules) 2001364 - ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt (emerging-exploit.rules) 2001369 - ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit (emerging-exploit.rules) 2001374 - ET EXPLOIT MS04-032 Bad EMF file (emerging-exploit.rules) 2003231 - ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (emerging-web_client.rules) 2003232 - ET WEB_CLIENT ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (emerging-web_client.rules) 2003233 - ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (emerging-web_client.rules) 2003234 - ET WEB_CLIENT ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (emerging-web_client.rules) 2008446 - ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt (emerging-current_events.rules) [---] Removed rules: [---] 210560 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 (emerging-web_client.rules) 2001686 - ET EXPLOIT Awstats Remote Code Execution Attempt (emerging-exploit.rules) 2001718 - ET EXPLOIT CAN-2004-1244 PNG with bad width (emerging-exploit.rules) 2001719 - ET EXPLOIT CAN-2004-1244 PNG with bad height (emerging-exploit.rules) 2001720 - ET EXPLOIT CAN-2004-0597 PNG with indexed color (emerging-exploit.rules) 2001721 - ET EXPLOIT CAN-2004-0597 PNG with too big PLTE (emerging-exploit.rules) 2001722 - ET EXPLOIT CAN-2004-0597 PNG with too big hIST (emerging-exploit.rules) 2001723 - ET EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG (emerging-exploit.rules) 2001724 - ET EXPLOIT libpng CAN-2004-1244 overflow attempt (emerging-exploit.rules) 2001932 - ET EXPLOIT wowBB view_user.php SQL Injection (emerging-exploit.rules) 2002120 - ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size (emerging-exploit.rules) 2002121 - ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count (emerging-exploit.rules) 2002122 - ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size (emerging-exploit.rules) 2002123 - ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count (emerging-exploit.rules) 2002124 - ET EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document (emerging-exploit.rules) 2002134 - ET EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow (emerging-exploit.rules) 2002137 - ET EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow (emerging-exploit.rules) 2002733 - ET EXPLOIT WMF Escape Record Exploit - All Ports - v3 (emerging-exploit.rules) 2002759 - ET EXPLOIT WMF Escape Record Exploit - All Ports - v1 (emerging-exploit.rules) 2008394 - ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) (emerging-current_events.rules) 2008796 - ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected (emerging-current_events.rules) 2008948 - ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin (emerging-current_events.rules) 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos (emerging-current_events.rules) 2009096 - ET CURRENT_EVENTS Tigger.a/Syzor Control Checkin (emerging-current_events.rules) 2009488 - ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com) (emerging-current_events.rules) 2009489 - ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org) (emerging-current_events.rules) 2009492 - ET CURRENT_EVENTS Potential MSVidCtl 0-day URL (emerging-current_events.rules) 2010102 - ET CURRENT_EVENTS OWC9 RecordNavigationControl Activex Remote Code Excution attempt(MS09-055) (emerging-current_events.rules) 2010103 - ET CURRENT_EVENTS OWC9 FieldList Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010104 - ET CURRENT_EVENTS OWC9 ExpandControl Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010105 - ET CURRENT_EVENTS OWC10 RecordNavigationControl Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010106 - ET CURRENT_EVENTS OWC11 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010107 - ET CURRENT_EVENTS Visio Viewer 2002-2007 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010108 - ET CURRENT_EVENTS Windows Live Mail Mail Object Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010109 - ET CURRENT_EVENTS Windows Live Mail Mesg Table Object Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010110 - ET CURRENT_EVENTS Windows Live Mail Mime Editor Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010111 - ET CURRENT_EVENTS Windows Live Mail Message List Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010112 - ET CURRENT_EVENTS MSN Photo Upload Tool Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010113 - ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 1 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010114 - ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 2 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010115 - ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 3 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010116 - ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 4 Activex Remote Code Excution Attempt(MS09-055) (emerging-current_events.rules) 2010117 - ET CURRENT_EVENTS Indexing Service Activex Remote Code Execution CLSID Access Attempt (MS09-057) (emerging-current_events.rules) 2010118 - ET CURRENT_EVENTS RSClientPrint Activex CLSID Access Attempt (MS09-062) (emerging-current_events.rules) 2010120 - ET CURRENT_EVENTS Silverlight Activex CLSID Access Attempt (MS09-061) (emerging-current_events.rules) 2010249 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) (emerging-current_events.rules) 2010250 - ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) (emerging-current_events.rules) 2010251 - ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) (emerging-current_events.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (2): #Matt Jonkman #disabling, remove in the not too distant future -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 164 # Updated 2010-01-07 11:19:51 -> Added to emerging-rbn.rules (2): # VERSION 164 # Updated 2010-01-07 11:19:51 -> Added to emerging-sid-msg.map (156): 2001686 || ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats || url,doc.emergingthreats.net/2001686 || cve,CAN-2005-0116 || bugtraq,12298 || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || url,awstats.sourceforge.net || url,www.k-otik.com/exploits/20050302.awstats_shell.c.php || url,www.k-otik.com/exploits/20050124.awexpl.c.php 2009096 || ET TROJAN Tigger.a/Syzor Control Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009096 || url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html || url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix 2010560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010629 || ET CURRENT_EVENTS MySpace Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010629 2404000 || ET DROP Known Bot C&C Server Traffic TCP (group 1) || url,www.shadowserver.org 2404001 || ET DROP Known Bot C&C Server Traffic UDP (group 1) || url,www.shadowserver.org 2404002 || ET DROP Known Bot C&C Server Traffic TCP (group 2) || url,www.shadowserver.org 2404003 || ET DROP Known Bot C&C Server Traffic UDP (group 2) || url,www.shadowserver.org 2404004 || ET DROP Known Bot C&C Server Traffic TCP (group 3) || url,www.shadowserver.org 2404005 || ET DROP Known Bot C&C Server Traffic UDP (group 3) || url,www.shadowserver.org 2404006 || ET DROP Known Bot C&C Server Traffic TCP (group 4) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic UDP (group 4) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic TCP (group 5) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic UDP (group 5) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic TCP (group 6) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic UDP (group 6) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic TCP (group 7) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic UDP (group 7) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic TCP (group 8) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic UDP (group 8) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic TCP (group 9) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic UDP (group 9) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic TCP (group 10) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic UDP (group 10) || url,www.shadowserver.org 2404020 || ET DROP Known Bot C&C Server Traffic TCP (group 11) || url,www.shadowserver.org 2404021 || ET DROP Known Bot C&C Server Traffic UDP (group 11) || url,www.shadowserver.org 2404022 || ET DROP Known Bot C&C Server Traffic TCP (group 12) || url,www.shadowserver.org 2404023 || ET DROP Known Bot C&C Server Traffic UDP (group 12) || url,www.shadowserver.org 2404024 || ET DROP Known Bot C&C Server Traffic TCP (group 13) || url,www.shadowserver.org 2404025 || ET DROP Known Bot C&C Server Traffic UDP (group 13) || url,www.shadowserver.org 2404026 || ET DROP Known Bot C&C Server Traffic TCP (group 14) || url,www.shadowserver.org 2404027 || ET DROP Known Bot C&C Server Traffic UDP (group 14) || url,www.shadowserver.org 2404028 || ET DROP Known Bot C&C Server Traffic TCP (group 15) || url,www.shadowserver.org 2404029 || ET DROP Known Bot C&C Server Traffic UDP (group 15) || url,www.shadowserver.org 2404030 || ET DROP Known Bot C&C Server Traffic TCP (group 16) || url,www.shadowserver.org 2404031 || ET DROP Known Bot C&C Server Traffic UDP (group 16) || url,www.shadowserver.org 2404032 || ET DROP Known Bot C&C Server Traffic TCP (group 17) || url,www.shadowserver.org 2404033 || ET DROP Known Bot C&C Server Traffic UDP (group 17) || url,www.shadowserver.org 2404034 || ET DROP Known Bot C&C Server Traffic TCP (group 18) || url,www.shadowserver.org 2404035 || ET DROP Known Bot C&C Server Traffic UDP (group 18) || url,www.shadowserver.org 2404036 || ET DROP Known Bot C&C Server Traffic TCP (group 19) || url,www.shadowserver.org 2404037 || ET DROP Known Bot C&C Server Traffic UDP (group 19) || url,www.shadowserver.org 2404038 || ET DROP Known Bot C&C Server Traffic TCP (group 20) || url,www.shadowserver.org 2404039 || ET DROP Known Bot C&C Server Traffic UDP (group 20) || url,www.shadowserver.org 2404040 || ET DROP Known Bot C&C Server Traffic TCP (group 21) || url,www.shadowserver.org 2404041 || ET DROP Known Bot C&C Server Traffic UDP (group 21) || url,www.shadowserver.org 2404042 || ET DROP Known Bot C&C Server Traffic TCP (group 22) || url,www.shadowserver.org 2404043 || ET DROP Known Bot C&C Server Traffic UDP (group 22) || url,www.shadowserver.org 2404044 || ET DROP Known Bot C&C Server Traffic TCP (group 23) || url,www.shadowserver.org 2404045 || ET DROP Known Bot C&C Server Traffic UDP (group 23) || url,www.shadowserver.org 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2405000 || ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405001 || ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405021 || ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405023 || ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405024 || ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405025 || ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405026 || ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405028 || ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405029 || ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405030 || ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405031 || ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405032 || ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405033 || ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405034 || ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405035 || ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405036 || ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405037 || ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405038 || ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405039 || ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405040 || ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405041 || ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405042 || ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405043 || ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405044 || ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405045 || ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (156): 2001686 || ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats || url,doc.emergingthreats.net/2001686 || cve,CAN-2005-0116 || bugtraq,12298 || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || url,awstats.sourceforge.net || url,www.k-otik.com/exploits/20050302.awstats_shell.c.php || url,www.k-otik.com/exploits/20050124.awexpl.c.php 2009096 || ET TROJAN Tigger.a/Syzor Control Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tigger || url,doc.emergingthreats.net/2009096 || url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html || url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix 2010560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2010629 || ET CURRENT_EVENTS MySpace Spam Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL || url,doc.emergingthreats.net/2010629 2404000 || ET DROP Known Bot C&C Server Traffic TCP (group 1) || url,www.shadowserver.org 2404001 || ET DROP Known Bot C&C Server Traffic UDP (group 1) || url,www.shadowserver.org 2404002 || ET DROP Known Bot C&C Server Traffic TCP (group 2) || url,www.shadowserver.org 2404003 || ET DROP Known Bot C&C Server Traffic UDP (group 2) || url,www.shadowserver.org 2404004 || ET DROP Known Bot C&C Server Traffic TCP (group 3) || url,www.shadowserver.org 2404005 || ET DROP Known Bot C&C Server Traffic UDP (group 3) || url,www.shadowserver.org 2404006 || ET DROP Known Bot C&C Server Traffic TCP (group 4) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic UDP (group 4) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic TCP (group 5) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic UDP (group 5) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic TCP (group 6) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic UDP (group 6) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic TCP (group 7) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic UDP (group 7) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic TCP (group 8) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic UDP (group 8) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic TCP (group 9) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic UDP (group 9) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic TCP (group 10) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic UDP (group 10) || url,www.shadowserver.org 2404020 || ET DROP Known Bot C&C Server Traffic TCP (group 11) || url,www.shadowserver.org 2404021 || ET DROP Known Bot C&C Server Traffic UDP (group 11) || url,www.shadowserver.org 2404022 || ET DROP Known Bot C&C Server Traffic TCP (group 12) || url,www.shadowserver.org 2404023 || ET DROP Known Bot C&C Server Traffic UDP (group 12) || url,www.shadowserver.org 2404024 || ET DROP Known Bot C&C Server Traffic TCP (group 13) || url,www.shadowserver.org 2404025 || ET DROP Known Bot C&C Server Traffic UDP (group 13) || url,www.shadowserver.org 2404026 || ET DROP Known Bot C&C Server Traffic TCP (group 14) || url,www.shadowserver.org 2404027 || ET DROP Known Bot C&C Server Traffic UDP (group 14) || url,www.shadowserver.org 2404028 || ET DROP Known Bot C&C Server Traffic TCP (group 15) || url,www.shadowserver.org 2404029 || ET DROP Known Bot C&C Server Traffic UDP (group 15) || url,www.shadowserver.org 2404030 || ET DROP Known Bot C&C Server Traffic TCP (group 16) || url,www.shadowserver.org 2404031 || ET DROP Known Bot C&C Server Traffic UDP (group 16) || url,www.shadowserver.org 2404032 || ET DROP Known Bot C&C Server Traffic TCP (group 17) || url,www.shadowserver.org 2404033 || ET DROP Known Bot C&C Server Traffic UDP (group 17) || url,www.shadowserver.org 2404034 || ET DROP Known Bot C&C Server Traffic TCP (group 18) || url,www.shadowserver.org 2404035 || ET DROP Known Bot C&C Server Traffic UDP (group 18) || url,www.shadowserver.org 2404036 || ET DROP Known Bot C&C Server Traffic TCP (group 19) || url,www.shadowserver.org 2404037 || ET DROP Known Bot C&C Server Traffic UDP (group 19) || url,www.shadowserver.org 2404038 || ET DROP Known Bot C&C Server Traffic TCP (group 20) || url,www.shadowserver.org 2404039 || ET DROP Known Bot C&C Server Traffic UDP (group 20) || url,www.shadowserver.org 2404040 || ET DROP Known Bot C&C Server Traffic TCP (group 21) || url,www.shadowserver.org 2404041 || ET DROP Known Bot C&C Server Traffic UDP (group 21) || url,www.shadowserver.org 2404042 || ET DROP Known Bot C&C Server Traffic TCP (group 22) || url,www.shadowserver.org 2404043 || ET DROP Known Bot C&C Server Traffic UDP (group 22) || url,www.shadowserver.org 2404044 || ET DROP Known Bot C&C Server Traffic TCP (group 23) || url,www.shadowserver.org 2404045 || ET DROP Known Bot C&C Server Traffic UDP (group 23) || url,www.shadowserver.org 2404046 || ET DROP Known Bot C&C Server Traffic TCP (group 24) || url,www.shadowserver.org 2404047 || ET DROP Known Bot C&C Server Traffic UDP (group 24) || url,www.shadowserver.org 2404048 || ET DROP Known Bot C&C Server Traffic TCP (group 25) || url,www.shadowserver.org 2404049 || ET DROP Known Bot C&C Server Traffic UDP (group 25) || url,www.shadowserver.org 2404050 || ET DROP Known Bot C&C Server Traffic TCP (group 26) || url,www.shadowserver.org 2404051 || ET DROP Known Bot C&C Server Traffic UDP (group 26) || url,www.shadowserver.org 2404052 || ET DROP Known Bot C&C Server Traffic TCP (group 27) || url,www.shadowserver.org 2404053 || ET DROP Known Bot C&C Server Traffic UDP (group 27) || url,www.shadowserver.org 2405000 || ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405001 || ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405021 || ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405023 || ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405024 || ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405025 || ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405026 || ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405028 || ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405029 || ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405030 || ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405031 || ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405032 || ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405033 || ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405034 || ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405035 || ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405036 || ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405037 || ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405038 || ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405039 || ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405040 || ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405041 || ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405042 || ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405043 || ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405044 || ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405045 || ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405046 || ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405047 || ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405048 || ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405049 || ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405050 || ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405051 || ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405052 || ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405053 || ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #sig by matt jonkman, researcher anonymous -> Added to emerging-web_specific_apps.rules (1): # Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak [---] Removed non-rule lines: [---] -> Removed from emerging-current_events.rules (11): #by RPG #by Philipp Bescht #sigs for the ms vidctl 0-day. These should be removed in a few days, around 7/10 if the domains are gone #by Greg Martin #new mac dns changer trojan. Not a lot of detail yet, but this will catch the UA #The below rules can be kept in CURRENT_EVENTS. as I didn't get much #information about them but we can alert them when they are loading. #sig by matt jonkman, researcher anonymous #putting this in current events to see how badly it falses. # Looking for a simple thing, but the pws's use this pretty reliably, and hopefully it's not too common in the real world #by phrantic -> Removed from emerging-exploit.rules (10): # Submitted by Erik Fichtner, July 18, 2005 # MS05-036 has a pile of vectors into the system. These are just some of them. # False negative warning: JPEG ICC can be fragged into multiple chunks. # False negative warning: GIF ICC can be fragged into multiple chunks. # iCCP profiles are all compressed with zlib deflate. That's annoying. A preprocessor would do this work better. # This is disabled by default because it hits on any PNG. It is a good sig, but you must understand more than average to use it # The following are based on a working exploit # Choose between the All-Ports rules or the Web-Only rules. (All web rules have to be enabled) # All ports # Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 163 # Updated 2010-01-05 07:48:26 -> Removed from emerging-rbn.rules (2): # VERSION 163 # Updated 2010-01-05 07:48:26 -> Removed from emerging-sid-msg.map (104): 210560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2001686 || ET EXPLOIT Awstats Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec || url,doc.emergingthreats.net/bin/view/Main/2001686 || cve,CAN-2005-0116 || bugtraq,12298 || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || url,awstats.sourceforge.net || url,www.k-otik.com/exploits/20050302.awstats_shell.c.php || url,www.k-otik.com/exploits/20050124.awexpl.c.php 2001718 || ET EXPLOIT CAN-2004-1244 PNG with bad width || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001718 || cve,2004-1214 2001719 || ET EXPLOIT CAN-2004-1244 PNG with bad height || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001719 || cve,2004-1214 2001720 || ET EXPLOIT CAN-2004-0597 PNG with indexed color || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001720 || cve,2004-0597 2001721 || ET EXPLOIT CAN-2004-0597 PNG with too big PLTE || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001721 || cve,2004-0597 2001722 || ET EXPLOIT CAN-2004-0597 PNG with too big hIST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001722 || cve,2004-0597 2001723 || ET EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001723 2001724 || ET EXPLOIT libpng CAN-2004-1244 overflow attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001724 || bugtraq,10872 || cve,2004-0597 2001932 || ET EXPLOIT wowBB view_user.php SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_wowBB || url,doc.emergingthreats.net/bin/view/Main/2001932 || bugtraq,13569 2002120 || ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002120 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002121 || ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002121 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002122 || ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002122 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002123 || ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002123 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002124 || ET EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002124 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002134 || ET EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002134 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002137 || ET EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002137 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002733 || ET EXPLOIT WMF Escape Record Exploit - All Ports - v3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF || url,doc.emergingthreats.net/bin/view/Main/2002733 || url,www.frsirt.com/english/advisories/2005/3086 2002759 || ET EXPLOIT WMF Escape Record Exploit - All Ports - v1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF || url,doc.emergingthreats.net/bin/view/Main/2002759 || url,www.frsirt.com/english/advisories/2005/3086 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009096 || ET CURRENT_EVENTS Tigger.a/Syzor Control Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Tigger || url,doc.emergingthreats.net/2009096 || url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html || url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix 2009488 || ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009488 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 || url,isc.sans.org/diary.html?storyid=6733 2009489 || ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009489 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 || url,isc.sans.org/diary.html?storyid=6733 2009492 || ET CURRENT_EVENTS Potential MSVidCtl 0-day URL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009492 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,isc.sans.org/diary.html?storyid=6733 2010102 || ET CURRENT_EVENTS OWC9 RecordNavigationControl Activex Remote Code Excution attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010102 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010103 || ET CURRENT_EVENTS OWC9 FieldList Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010103 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010104 || ET CURRENT_EVENTS OWC9 ExpandControl Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010104 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010105 || ET CURRENT_EVENTS OWC10 RecordNavigationControl Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010105 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010106 || ET CURRENT_EVENTS OWC11 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010106 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010107 || ET CURRENT_EVENTS Visio Viewer 2002-2007 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010107 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010108 || ET CURRENT_EVENTS Windows Live Mail Mail Object Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010108 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010109 || ET CURRENT_EVENTS Windows Live Mail Mesg Table Object Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010109 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010110 || ET CURRENT_EVENTS Windows Live Mail Mime Editor Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010110 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010111 || ET CURRENT_EVENTS Windows Live Mail Message List Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010111 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010112 || ET CURRENT_EVENTS MSN Photo Upload Tool Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010112 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010113 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 1 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010113 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010114 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 2 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010114 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010115 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 3 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010115 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010116 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 4 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010116 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010117 || ET CURRENT_EVENTS Indexing Service Activex Remote Code Execution CLSID Access Attempt (MS09-057) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010117 || cve,CVE-2009-2507 || url,www.microsoft.com/technet/security/bulletin/MS09-057.mspx 2010118 || ET CURRENT_EVENTS RSClientPrint Activex CLSID Access Attempt (MS09-062) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010118 || cve,CVE-2009-2500 || url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx 2010120 || ET CURRENT_EVENTS Silverlight Activex CLSID Access Attempt (MS09-061) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010117 || cve,CVE-2009-2497 || url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx 2010249 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010250 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010250 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010251 || ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010251 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2404000 || ET DROP Known Bot C&C Server Traffic (group 1) || url,www.shadowserver.org 2404001 || ET DROP Known Bot C&C Server Traffic (group 2) || url,www.shadowserver.org 2404002 || ET DROP Known Bot C&C Server Traffic (group 3) || url,www.shadowserver.org 2404003 || ET DROP Known Bot C&C Server Traffic (group 4) || url,www.shadowserver.org 2404004 || ET DROP Known Bot C&C Server Traffic (group 5) || url,www.shadowserver.org 2404005 || ET DROP Known Bot C&C Server Traffic (group 6) || url,www.shadowserver.org 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2404021 || ET DROP Known Bot C&C Server Traffic (group 22) || url,www.shadowserver.org 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2404023 || ET DROP Known Bot C&C Server Traffic (group 24) || url,www.shadowserver.org 2404024 || ET DROP Known Bot C&C Server Traffic (group 25) || url,www.shadowserver.org 2404025 || ET DROP Known Bot C&C Server Traffic (group 26) || url,www.shadowserver.org 2404026 || ET DROP Known Bot C&C Server Traffic (group 27) || url,www.shadowserver.org 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405000 || ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405001 || ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405023 || ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405024 || ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405026 || ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (104): 210560 || ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_MS_Whale || url,doc.emergingthreats.net/210560 || url,www.kb.cert.org/vuls/id/789121 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb 2001686 || ET EXPLOIT Awstats Remote Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec || url,doc.emergingthreats.net/bin/view/Main/2001686 || cve,CAN-2005-0116 || bugtraq,12298 || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || url,awstats.sourceforge.net || url,www.k-otik.com/exploits/20050302.awstats_shell.c.php || url,www.k-otik.com/exploits/20050124.awexpl.c.php 2001718 || ET EXPLOIT CAN-2004-1244 PNG with bad width || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001718 || cve,2004-1214 2001719 || ET EXPLOIT CAN-2004-1244 PNG with bad height || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001719 || cve,2004-1214 2001720 || ET EXPLOIT CAN-2004-0597 PNG with indexed color || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001720 || cve,2004-0597 2001721 || ET EXPLOIT CAN-2004-0597 PNG with too big PLTE || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001721 || cve,2004-0597 2001722 || ET EXPLOIT CAN-2004-0597 PNG with too big hIST || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001722 || cve,2004-0597 2001723 || ET EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001723 2001724 || ET EXPLOIT libpng CAN-2004-1244 overflow attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_PNG || url,doc.emergingthreats.net/bin/view/Main/2001724 || bugtraq,10872 || cve,2004-0597 2001932 || ET EXPLOIT wowBB view_user.php SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_wowBB || url,doc.emergingthreats.net/bin/view/Main/2001932 || bugtraq,13569 2002120 || ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002120 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002121 || ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002121 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002122 || ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002122 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002123 || ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002123 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002124 || ET EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002124 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002134 || ET EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002134 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002137 || ET EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-036 || url,doc.emergingthreats.net/bin/view/Main/2002137 || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx 2002733 || ET EXPLOIT WMF Escape Record Exploit - All Ports - v3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF || url,doc.emergingthreats.net/bin/view/Main/2002733 || url,www.frsirt.com/english/advisories/2005/3086 2002759 || ET EXPLOIT WMF Escape Record Exploit - All Ports - v1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WMF || url,doc.emergingthreats.net/bin/view/Main/2002759 || url,www.frsirt.com/english/advisories/2005/3086 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009096 || ET CURRENT_EVENTS Tigger.a/Syzor Control Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Tigger || url,doc.emergingthreats.net/2009096 || url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html || url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix 2009488 || ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009488 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 || url,isc.sans.org/diary.html?storyid=6733 2009489 || ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009489 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 || url,isc.sans.org/diary.html?storyid=6733 2009492 || ET CURRENT_EVENTS Potential MSVidCtl 0-day URL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl || url,doc.emergingthreats.net/2009492 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,isc.sans.org/diary.html?storyid=6733 2010102 || ET CURRENT_EVENTS OWC9 RecordNavigationControl Activex Remote Code Excution attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010102 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010103 || ET CURRENT_EVENTS OWC9 FieldList Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010103 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010104 || ET CURRENT_EVENTS OWC9 ExpandControl Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010104 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010105 || ET CURRENT_EVENTS OWC10 RecordNavigationControl Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010105 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010106 || ET CURRENT_EVENTS OWC11 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010106 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010107 || ET CURRENT_EVENTS Visio Viewer 2002-2007 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010107 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010108 || ET CURRENT_EVENTS Windows Live Mail Mail Object Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010108 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010109 || ET CURRENT_EVENTS Windows Live Mail Mesg Table Object Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010109 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010110 || ET CURRENT_EVENTS Windows Live Mail Mime Editor Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010110 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010111 || ET CURRENT_EVENTS Windows Live Mail Message List Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010111 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010112 || ET CURRENT_EVENTS MSN Photo Upload Tool Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010112 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010113 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 1 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010113 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010114 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 2 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010114 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010115 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 3 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010115 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010116 || ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 4 Activex Remote Code Excution Attempt(MS09-055) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010116 || cve,CVE-2009-2493 || url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx 2010117 || ET CURRENT_EVENTS Indexing Service Activex Remote Code Execution CLSID Access Attempt (MS09-057) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010117 || cve,CVE-2009-2507 || url,www.microsoft.com/technet/security/bulletin/MS09-057.mspx 2010118 || ET CURRENT_EVENTS RSClientPrint Activex CLSID Access Attempt (MS09-062) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010118 || cve,CVE-2009-2500 || url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx 2010120 || ET CURRENT_EVENTS Silverlight Activex CLSID Access Attempt (MS09-061) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday || url,doc.emergingthreats.net/2010117 || cve,CVE-2009-2497 || url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx 2010249 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/20102449 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010250 || ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010250 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2010251 || ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot || url,doc.emergingthreats.net/2010251 || url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on 2404000 || ET DROP Known Bot C&C Server Traffic (group 1) || url,www.shadowserver.org 2404001 || ET DROP Known Bot C&C Server Traffic (group 2) || url,www.shadowserver.org 2404002 || ET DROP Known Bot C&C Server Traffic (group 3) || url,www.shadowserver.org 2404003 || ET DROP Known Bot C&C Server Traffic (group 4) || url,www.shadowserver.org 2404004 || ET DROP Known Bot C&C Server Traffic (group 5) || url,www.shadowserver.org 2404005 || ET DROP Known Bot C&C Server Traffic (group 6) || url,www.shadowserver.org 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2404021 || ET DROP Known Bot C&C Server Traffic (group 22) || url,www.shadowserver.org 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2404023 || ET DROP Known Bot C&C Server Traffic (group 24) || url,www.shadowserver.org 2404024 || ET DROP Known Bot C&C Server Traffic (group 25) || url,www.shadowserver.org 2404025 || ET DROP Known Bot C&C Server Traffic (group 26) || url,www.shadowserver.org 2404026 || ET DROP Known Bot C&C Server Traffic (group 27) || url,www.shadowserver.org 2404027 || ET DROP Known Bot C&C Server Traffic (group 28) || url,www.shadowserver.org 2405000 || ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE || url,www.shadowserver.org 2405001 || ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2405023 || ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE || url,www.shadowserver.org 2405024 || ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE || url,www.shadowserver.org 2405025 || ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE || url,www.shadowserver.org 2405026 || ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE || url,www.shadowserver.org 2405027 || ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE || url,www.shadowserver.org From jonkman at jonkmans.com Thu Jan 7 16:11:31 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 07 Jan 2010 16:11:31 -0500 Subject: [Emerging-Sigs] SSH - Brute-Force Sig In-Reply-To: <4B45C5A7.5030108@mare-system.de> References: <4B45C5A7.5030108@mare-system.de> Message-ID: <4B464E03.8020606@jonkmans.com> Have you looked at these mex: www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port Are we duplicating detection with any of these? Matt On 1/7/10 6:29 AM, mex wrote: > > i played a little with the ssh/bruteforce related sigs > suggested by frank > > 2001219: SCAN Potential SSH Scan > this checks barely for the syn-flag on port 22 > > > 2006435: SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool > 2001219: SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! > > these two sigs check for the string [ content:"SSH-"; content:"libssh"; ] of the user-request > and works good as long as someone doesnt use any other lib/ssh-client for brute forcing. > > these two libssh-sigs have nearly the same ammount of alerts as the proposed > ssh-brute-force sig below, while the sig below catches the client-request, not > user-agent. 2001219 produces a lot of fp, regarding to ssh-brute-force-detection. > if needed, i can provide the results. > > this sig has been tested with openssh-server and bsd/solaris/linux-opensshclient, > so i'm not sure if this will fire on other servers than openssh. > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SSH-Connection Brute Force "; flow:to_server,established; content:"|15 00 00 00 00|"; depth:10; threshold: type both, track by_src, count 5, seconds 30; classtype:attempted-user; reference:url,www.sshbl.org/; sid:11220047; rev:3;) > > > > > mex > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Thu Jan 7 18:17:11 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Thu, 7 Jan 2010 23:17:11 +0000 Subject: [Emerging-Sigs] more good disable candidate sigs Message-ID: See inline comments, kev # This can be disabled I reckon as I don't think this is the Adobe vulnerability everyone is going to be exploiting, too many to choose from last year :) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference:url, idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; classtype:attempted-admin; reference:url, doc.emergingthreats.net/bin/view/Main/2001217; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Adobe_Acrobat_BO; sid:2001217; rev:9;) # Cve from 2001 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "ET EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference:url,www.guninski.com/popspoof.html; reference:url, securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; reference:cve,2001-1410; classtype:trojan-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2001813; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001813; rev:9;) # From 2003 alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET EXPLOIT mIRC <=6.12 DCC Buffer Overflow"; flow: to_client, established; content:"DCC SEND "; nocase; isdataat: 100, relative; reference:bugtraq,8880; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000329; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MIRC_Overflow; sid: 2000329; rev:8;) # 2005 looking for a large INVITE command. Possibly be moved to emerging-voip. Perhaps even altered in the message to say large invite, a kind of generic overflow sig alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET EXPLOIT MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; classtype:attempted-user; reference:url, doc.emergingthreats.net/bin/view/Main/2003237; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_SIP; sid:2003237; rev:6;) # 2004 Sasser related, possibly move to virus category or disable. Performance wise looks fine though so if sasser is still about in places will be worth hanging onto. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url, www.eeye.com/html/research/advisories/AD20040501.html; reference:url, www.upenn.edu/computing/virus/04/w32.sasser.worm.html; reference:url, doc.emergingthreats.net/bin/view/Main/2000032; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Sasser_LSA; sid: 2000032; rev:9;) # 2004 and also PCRE on GET request without content match alert tcp $EXTERNAL_NET any -> $HOME_NET 8000:8030 (msg:"ET EXPLOIT Nullsoft Shoutcast Server Format String Attack"; flow:established,to_server; content:"GET "; depth:4; nocase; pcre:"/\/content\/.*?%#?\d*[a-z\.].*?\.mp3/Ri"; reference:cve,2004-1373; reference:bugtraq,12096; classtype:web-application-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2001751; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Shoutcast; sid:2001751; rev:8;) # Move to web-activex. 2008 so still recent, possibly add clsid checks also and PCRE check alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; classtype:web-application-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2007847; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Sony_Imagestation; sid:2007847; rev:2;) # 2004, however there might be really old appliances or something in use? Possibly disable by default? alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url, www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; classtype: misc-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2000342; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Squid_NTLM_Overflow; sid: 2000342; rev:6;) # From 2005, no depth set and also may be picked up by other rules or the FTP preprocessor alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Wzdftpd SITE command arbitrary command execution attempt"; flow:to_server,established; content:"site"; nocase; pcre:"/site\s+.*?[\;|&]/i"; reference:bugtraq,14935; reference:url,www.securiteam.com/exploits/5CP0R1PGUE.html; classtype:web-application-attack; reference:url, doc.emergingthreats.net/bin/view/Main/2002382; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Wzdftpd; sid:2002382; rev:6;) # From 2005, possibly move to web-apps file. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "ET EXPLOIT WebHints Scripts Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/hints.pl?|7c|"; nocase; classtype: web-application-attack; reference:bugtraq,13930; reference:url, doc.emergingthreats.net/bin/view/Main/2001991; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Webhints; sid: 2001991; rev:8;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100107/d80c95c2/attachment.html From bojan.isc at gmail.com Fri Jan 8 03:52:30 2010 From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC)) Date: Fri, 8 Jan 2010 09:52:30 +0100 Subject: [Emerging-Sigs] Proposed Sigs for Malicious / Metasploit-infected PDFs In-Reply-To: <4B45060F.2090601@mare-system.de> References: <4B45060F.2090601@mare-system.de> Message-ID: <9d6a1ae61001080052v39fc2818hcb63b88efdf979af@mail.gmail.com> This will generate loads of false positives. FlateDecode filter is a legitimate filter in PDF documents (that's actually Zip compression). Almost any stream in a PDF document will be compressed in order to save space, so you can have perfectly legitimate PDFs that contain pictures inside and that have /Filter /FlateDecode. Bojan On Wed, Jan 6, 2010 at 10:52 PM, mex wrote: > > in a blogpost i found interesting information > regarding metasploit-generated/infected pdfs > http://extraexploit.blogspot.com/search/label/CVE-2009-4324 > and i build some sig around it (see below) ; the first two sigs > simply scan http-traffic in and out for the malicious strings, > while the others are sigs with flowbits. i found no > information if the flowbit-option is pinned to a single > ip so i'm not sure about sideeffects on sites with tons of > legit pdf-downloads. > > i tested the rules with some pdfs i found in $SPAM, all with low > detectionrates @ virustotal: > >> CONFIRMATION DE GAIN FREELOTTO.pf > http://www.virustotal.com/analisis/ffc2bce0acc3e0d313c254fe5da4091d39cf724d08adfb7438ae39681a0ac9fe-1262813177 > >> FMo9A8pDZNCaw9AVq2uz5d.pdf > http://www.virustotal.com/analisis/58cdc67dbffb6d2d29eb0f7ce4776e843f6ec3a886ca9e58db3c71d57abeec23-1262748518 > >> VOTRE_NOTIFICATION_DE_GAIN_MICROSOFT.pdf > http://www.virustotal.com/analisis/44e4a6f4ac39f15619c346eb49b517df5af3ae08c6f7e6a74d9ba5ccd1a26fd6-1260153904 > > one problem occured: i had to set the value [server_flow_depth 1460] > (which was unset by default but did not detected the strings in the > response-stream) in preprocessor http_inspect_server which might > increase the overall-load of the sensor. > > i don't know if it makes sense to create a SMTP-outgoing rule > for that. > > > > # simple rules > # malicious pdf outgoing (metasploit-infected) > alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; classtype:successful-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220037; rev:2;) > ?#content:"|25|"; content:"PDF-"; nocase; ?content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; > > # malicious pdf incoming (metasploit-infected) > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; depth:500; nocase; content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220040; rev:2;) > > > > # flowbit_rule outgoing > # malicious pdf outgoing (metasploit-infected) trigger 1 > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Malicious_PDF outgoing Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:successful-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220041; rev:2;) > > > # malicious pdf outgoing (metasploit-infected) trigger 2 / alert > alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; ?content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220042; rev:2;) > ?#content:"|25|"; content:"PDF-"; nocase; ?content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; > > > # flowbit_rule incoming > # malicious pdf incoming (metasploit-infected) trigger 1 > alert tcp ?$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious_PDF incoming Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:attempted-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220043; rev:2;) > > > # malicious pdf incoming (metasploit-infected) trigger 2 / alert > alert tcp ?$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ?(msg:"Malicious PDF Transfer incoming (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; ?content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; ?nocase; ?content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; ?reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; ?reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220044; rev:2;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From kevross33 at googlemail.com Fri Jan 8 07:11:14 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 12:11:14 +0000 Subject: [Emerging-Sigs] More possible disable/retire sigs Message-ID: # From 2002 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Hello; sid:2002845; rev:5;) # From 2002, also applying pcre to .php?, May also be detected by other generic sigs alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Exploit Suspected PHP Injection Attack"; flow: to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; pcre:"/(name=(https?|ftps?|php)|cmd=.*(cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp))/Ui"; reference:cve,2002-0953; classtype: trojan-activity; reference:url, doc.emergingthreats.net/2001621; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_PHP_Injection; sid:2001621; rev:30;) # From 2003, also may be detected by http_preprocessor alert tcp $EXTERNAL_NET any -> $HOME_NET 1000 (msg:"ET WEB WebAdmin User Overflow"; flow:established,to_server; content:"/WebAdmin.dll?"; nocase; content:"User="; nocase; content:!"|0a|"; distance:0; within:200; reference:cve,2003-471; classtype:attempted-user; sid:2002847; rev:2;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/ccd192e4/attachment.html From kevross33 at googlemail.com Fri Jan 8 07:25:33 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 12:25:33 +0000 Subject: [Emerging-Sigs] IIS Parsing cve Reference fix Message-ID: This corrects and error in the reference in which the cve was defined as cve,CVE-2009-4444 Revision number has been incremented Kev alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; uricontent:".asp|3B 2E|"; nocase; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37460/info; reference:url, doc.emergingthreats.net/2010592; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass; reference:url,www.securityfocus.com/bid/37460/info; reference:url, soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; sid:2010592; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; uricontent:".aspx|3B 2E|"; nocase; classtype:web-application-attack; reference:url, www.securityfocus.com/bid/37460/info; reference:url, doc.emergingthreats.net/2010593; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass; reference:url,www.securityfocus.com/bid/37460/info; reference:url, soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; sid:2010593; rev:6;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/a58b587f/attachment.html From thomas at chaschperli.ch Fri Jan 8 07:36:37 2010 From: thomas at chaschperli.ch (Thomas Mueller) Date: Fri, 8 Jan 2010 12:36:37 +0000 (UTC) Subject: [Emerging-Sigs] SidReporter -where's my uid Message-ID: hi how long does it take to get the sidreporter uid? the "subscribe" mail was sent Jan 6 16:32 (and one ore more times already in december). - Thomas From signatures at stillsecure.com Fri Jan 8 08:06:46 2010 From: signatures at stillsecure.com (signatures) Date: Fri, 8 Jan 2010 06:06:46 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures -Jan - 08 - 2010 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294C@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; uricontent:"settings[locale]="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.milw0rm.com/exploits/9018 ; sid:9642; rev:1;) 2. WEB-ATTACKS iseemedia LPViewer ActiveX Control url method Buffer Overflow Attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS iseemedia LPViewer ActiveX Control url method Buffer Overflow Attempt"; flow:established,to_client; content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; content:"url"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; classtype:web-application-attack; reference:url,www.kb.cert.org/vuls/id/848873 ; reference:url,osvdb.org/48946; sid:9643; rev:1;) 3. WEB-ATTACKS iseemedia LPViewer ActiveX Control toolbar method Buffer Overflow Attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS iseemedia LPViewer ActiveX Control toolbar method Buffer Overflow Attempt"; flow:established,to_client; content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; content:"toolbar"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; classtype:web-application-attack; reference:url,www.kb.cert.org/vuls/id/848873 ; reference:url,osvdb.org/48946; sid:9644; rev:1;) 4. WEB-ATTACKS iseemedia LPViewer ActiveX Control enableZoomPastMax method BOF Attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS iseemedia LPViewer ActiveX Control enableZoomPastMax method BOF Attempt"; flow:established,to_client; content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; content:"enableZoomPastMax"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; classtype:web-application-attack; reference:url,www.kb.cert.org/vuls/id/848873 ; reference:url,osvdb.org/48946; sid:9645; rev:1;) 5. WEB-ATTACKS WEB-ATTACKS iseemedia LPViewer ActiveX Control BOF Function call Attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS WEB-ATTACKS iseemedia LPViewer ActiveX Control BOF Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"LPViewer.LPViewer.1"; distance:0; nocase; pcre:"/(url|toolbar|enableZoomPastMax)/i"; classtype:web-application-attack; reference:url,www.kb.cert.org/vuls/id/848873 ; reference:url,osvdb.org/48946; sid:9646; rev:1;) 6. WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_jphoto&"; nocase; uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,37279; sid:9769; rev:1;) 7. WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_jphoto&"; nocase; uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,37279; sid:9770; rev:1;) 8. WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_jphoto&"; nocase; uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,37279; sid:9771; rev:1;) 9. WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_jphoto&"; nocase; uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:bugtraq,37279; sid:9772; rev:1;) 10. WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_jphoto&"; nocase; uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:bugtraq,37279; sid:9773; rev:1;) Looking forward for your comments, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/92469e72/attachment-0001.html From jonkman at jonkmans.com Fri Jan 8 08:48:37 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 08:48:37 -0500 Subject: [Emerging-Sigs] SidReporter -where's my uid In-Reply-To: References: Message-ID: <4B4737B5.7030909@jonkmans.com> Generally it'll be there within a minute or two. I'll get you hooked up off-list. Thanks for using sidreporter though! Matt On 1/8/10 7:36 AM, Thomas Mueller wrote: > hi > > how long does it take to get the sidreporter uid? > > the "subscribe" mail was sent Jan 6 16:32 (and one ore more times already > in december). > > - Thomas > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From tw_herrmann at hotmail.com Fri Jan 8 08:52:21 2010 From: tw_herrmann at hotmail.com (travis wayne) Date: Fri, 8 Jan 2010 13:52:21 +0000 Subject: [Emerging-Sigs] Proposed Sigs for Malicious /Metasploit-infected PDFs Message-ID: Just a few quick observations from our experience in dealing with this since mid Dec 09: the Kevin ross pdf flowbit is not working for us, "pdf" hasn't been in the url, the url has been generated dynamically via embedded scripting interpreted by the browser (only if adobe is running, java is running, and IE is the browser) we haven't seen much metasploit generated pdf's (the metasploit module attempts to obfuscate the initial obj headers although I'm not saying there isn't any metasploit pdf's out there) nearly all of the exploits we've seen are coming from nginx servers, my best sigs are looking for "Server: nginx", "content-Type: application/pdf" and "%PDF-1" (I know, easily circumvented) We are also seeing the download "after exploitation" of the exe in some but not all cases, via the 2000419 sig Another sig we built that falses a lot looks for "content-type: application/x-java-archive" and "accept-encoding: pack200-gzip, gzip", though it falses, I'd rather get 10 fp's and 1 good alert for this as it has been very hard to identify successful attacks w/o casting a wide net Our best defense has been AV, and setting adobe to prompt before download. Sigs searching for media.newPlayer and the print string are pretty much useless I hope this helps someone, sorry for any lack of information. This stuff is really really had to see much less alert on. oh, one thing that helps is to visit the web history on a box's that "find" the pdf's on the web, look at their brower history files, use mandiant web historian to get the url visited(it will be unique), you can then recreate the attack traffic travis -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Bojan Zdrnja (SANS ISC) Sent: Friday, January 08, 2010 2:53 AM To: mex Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Proposed Sigs for Malicious /Metasploit-infected PDFs This will generate loads of false positives. FlateDecode filter is a legitimate filter in PDF documents (that's actually Zip compression). Almost any stream in a PDF document will be compressed in order to save space, so you can have perfectly legitimate PDFs that contain pictures inside and that have /Filter /FlateDecode. Bojan On Wed, Jan 6, 2010 at 10:52 PM, mex wrote: > > in a blogpost i found interesting information > regarding metasploit-generated/infected pdfs > http://extraexploit.blogspot.com/search/label/CVE-2009-4324 > and i build some sig around it (see below) ; the first two sigs > simply scan http-traffic in and out for the malicious strings, > while the others are sigs with flowbits. i found no > information if the flowbit-option is pinned to a single > ip so i'm not sure about sideeffects on sites with tons of > legit pdf-downloads. > > i tested the rules with some pdfs i found in $SPAM, all with low > detectionrates @ virustotal: > >> CONFIRMATION DE GAIN FREELOTTO.pf > http://www.virustotal.com/analisis/ffc2bce0acc3e0d313c254fe5da4091d39cf724d08adfb7438ae39681a0ac9fe-1262813177 > >> FMo9A8pDZNCaw9AVq2uz5d.pdf > http://www.virustotal.com/analisis/58cdc67dbffb6d2d29eb0f7ce4776e843f6ec3a886ca9e58db3c71d57abeec23-1262748518 > >> VOTRE_NOTIFICATION_DE_GAIN_MICROSOFT.pdf > http://www.virustotal.com/analisis/44e4a6f4ac39f15619c346eb49b517df5af3ae08c6f7e6a74d9ba5ccd1a26fd6-1260153904 > > one problem occured: i had to set the value [server_flow_depth 1460] > (which was unset by default but did not detected the strings in the > response-stream) in preprocessor http_inspect_server which might > increase the overall-load of the sensor. > > i don't know if it makes sense to create a SMTP-outgoing rule > for that. > > > > # simple rules > # malicious pdf outgoing (metasploit-infected) > alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220037; rev:2;) > #content:"|25|"; content:"PDF-"; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; > > # malicious pdf incoming (metasploit-infected) > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) "; flow:to_client,established; content:"|25|PDF-"; depth:500; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220040; rev:2;) > > > > # flowbit_rule outgoing > # malicious pdf outgoing (metasploit-infected) trigger 1 > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Malicious_PDF outgoing Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:successful-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220041; rev:2;) > > > # malicious pdf outgoing (metasploit-infected) trigger 2 / alert > alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Malicious PDF Transfer outgoing (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220042; rev:2;) > #content:"|25|"; content:"PDF-"; nocase; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; > > > # flowbit_rule incoming > # malicious pdf incoming (metasploit-infected) trigger 1 > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious_PDF incoming Trigger"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:".pdf"; flowbits:set,ET.malicious_pdf; flowbits:noalert; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220043; rev:2;) > > > # malicious pdf incoming (metasploit-infected) trigger 2 / alert > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Malicious PDF Transfer incoming (Metasploit-Infected) flow "; flow:to_client,established; flowbits:isset,ET.malicious_pdf; flowbits:unset,ET.malicious_pdf; content:"|25|PDF-"; nocase; depth:500; content:"/Filter"; nocase; content:"/FlateDecode"; nocase; offset:0; within:15; classtype:attempted-user; reference:url,extraexploit.blogspot.com/search/label/CVE-2009-4324; reference:url,contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html; sid:11220044; rev:2;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/9ce0ca48/attachment-0001.html From jonkman at jonkmans.com Fri Jan 8 09:32:12 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 09:32:12 -0500 Subject: [Emerging-Sigs] IIS Parsing cve Reference fix In-Reply-To: References: Message-ID: <4B4741EC.2010902@jonkmans.com> Posted, thanks Kevin! Matt On 1/8/10 7:25 AM, Kevin Ross wrote: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp > Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; > flow:established,to_server; uricontent:".asp|3B 2E|"; nocase; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37460/info > ; > reference:url,doc.emergingthreats.net/2010592 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass > ; > reference:url,www.securityfocus.com/bid/37460/info > ; > reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf > ; > reference:cve,2009-4444; sid:2010592; rev:6;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx > Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; > flow:established,to_server; uricontent:".aspx|3B 2E|"; nocase; > classtype:web-application-attack; > reference:url,www.securityfocus.com/bid/37460/info > ; > reference:url,doc.emergingthreats.net/2010593 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass > ; > reference:url,www.securityfocus.com/bid/37460/info > ; > reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf > ; > reference:cve,2009-4444; sid:2010593; rev:6;) -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Jan 8 09:33:19 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 09:33:19 -0500 Subject: [Emerging-Sigs] Proposed update to "ET POLICY Possible Ecard Trojan download" In-Reply-To: References: Message-ID: <4B47422F.7080609@jonkmans.com> Posting your fix, thanks David! Good observation. Matt On 1/6/10 3:48 PM, David.R.Wharton at regions.com wrote: >>From time to time I see false positives on 2006434: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Possible Ecard Trojan download"; flow:established,to_server; > uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe/Ui"; > classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006434; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; > sid:2006434; rev:5;) > > These are due to requests like this: > > GET /foobar/r/pdf2gif.exe/cH0s3Pru13s > > What if we anchored the PCRE to ensure the .exe is at the end of the URI? > e.g. pcre:"/(card|gif|jpg|jpeg|cartao)\.exe$/Ui" > > Thanks. > > -David Wharton; > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Jan 8 09:36:10 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 09:36:10 -0500 Subject: [Emerging-Sigs] Proposed update to "ET POLICY Possible Ecard Trojan download" In-Reply-To: <826CAB9C-F427-4854-B516-C467F8EC376B@sourcefire.com> References: <826CAB9C-F427-4854-B516-C467F8EC376B@sourcefire.com> Message-ID: <4B4742DA.8030701@jonkmans.com> On 1/6/10 3:57 PM, Joel Esler wrote: > Are you sure you don't want the rule going the other way? No, I believe it's right. This is to catch the request. > > What if you anchored it to the flowbit: "exe.download" as found in rule 15306. > There may not be an exe at the end of the stream, but the request is a good sign of infection. Also I want to try to avoid using flowbits from vrt in the et ruleset. Not for spite or anything, just that not everyone runs both rulesets. Some folks can't accept the license over there, or use different commercial ruleset in conjunction with et. Thanks though! Matt > Just hear me out, I'm just putting it up for discussion. > > J > > On Jan 6, 2010, at 3:48 PM, David.R.Wharton at regions.com wrote: > >>> From time to time I see false positives on 2006434: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY >> Possible Ecard Trojan download"; flow:established,to_server; >> uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe/Ui"; >> classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006434; >> reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; >> sid:2006434; rev:5;) >> >> These are due to requests like this: >> >> GET /foobar/r/pdf2gif.exe/cH0s3Pru13s >> >> What if we anchored the PCRE to ensure the .exe is at the end of the URI? >> e.g. pcre:"/(card|gif|jpg|jpeg|cartao)\.exe$/Ui" >> >> Thanks. >> >> -David Wharton; >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From kevross33 at googlemail.com Fri Jan 8 09:43:57 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 14:43:57 +0000 Subject: [Emerging-Sigs] nginx pdf sig modification to use flowbit Message-ID: Modified so that it uses the flowbit to limit the traffic it is inspecting back in. Kev alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF)"; flowbits:isset,ET.pdf.request; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx"; nocase; distance:4; within:300; content:"Content-Type|3a| application/pdf"; nocase; within: 400; content:"Content-Disposition|3a| inline"; nocase; within: 400; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown; reference:url, doc.emergingthreats.net/bin/view/Main/2009076; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF; sid:2009076; rev:2;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/591c7d04/attachment.html From kevross33 at googlemail.com Fri Jan 8 10:03:35 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 15:03:35 +0000 Subject: [Emerging-Sigs] more possible disable sigs Message-ID: I will stop hunting the now till the other 2 I have sent also with possible sigs can get looked at. There is a microsoft DOS in this list from 2000. Kev # These are from 2004, the flowbit one is setting a flowbit for GET requests with newline though, don.t know how often that flowbit might get set under normal traffic. However, there may be old appliances running apache underneath which may benefit from this. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "ET DOS HTTP GET with newline appended"; flowbits:noalert; flow: to_server,established; content:"GET / HTTP/1.0|0a|"; offset: 0; depth: 15; flowbits:set,http.get; reference:cve,2004-0942; classtype: attempted-dos; reference:url, doc.emergingthreats.net/bin/view/Main/2001635; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt; sid: 2001635; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "ET DOS squ1rt Apache DoS"; flow: to_server,established; flowbits:isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content:"|20202020|"; offset: 1436; depth: 4; reference:cve,2004-0942; classtype: attempted-dos; reference:url, doc.emergingthreats.net/bin/view/Main/2001636; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt; sid: 2001636; rev:6;) # From 2004 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET DOS MS04-030 Attempted DoS"; flow: to_server; flowbits:isnotset,tagged; content:"xmlns|3a|z"; content:"xml|3a|"; nocase; tag: host,10,packets,src; flowbits:set,tagged; reference:url,isc.sans.org/diary.php?date=2004-10-20; classtype: attempted-dos; reference:url, doc.emergingthreats.net/bin/view/Main/2001362; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS04-030; sid: 2001362; rev:7;) # From 2004 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flowbits:isnotset,tagged; flow: established,to_server; content:"|10 00 00 10 cc|"; offset: 0; depth: 5; tag: host,3,packets,src; flowbits:set,tagged; reference:bugtraq,11265; classtype: attempted-dos; reference:url, doc.emergingthreats.net/bin/view/Main/2001366; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS; sid: 2001366; rev:8;) # From 2004 alert tcp $EXTERNAL_NET any -> $HOME_NET 2702 (msg: "ET DOS Microsoft SMS dos attempt"; flow: to_server,established; content:"RCH0"; nocase; pcre:"/RCH0####RCHE.{130,}/smi"; reference:url, www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMS; sid: 2000496; rev:9;) # This seems very specific, possibly not useful anymore? I am not sure. alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "ET ATTACK RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement; sid: 2001616; rev:8;) # MS00- .... old alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url, www.microsoft.com/technet/security/bulletin/ms00-038.mspx; classtype:attempted-dos; reference:url, doc.emergingthreats.net/bin/view/Main/2002843; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038; sid:2002843; rev:4;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/6e3b7242/attachment.html From jonkman at jonkmans.com Fri Jan 8 10:08:21 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 10:08:21 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures -Jan - 08 - 2010 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294C@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C294C@webmail.latis.com> Message-ID: <4B474A65.1060008@jonkmans.com> Posted, thanks! Matt On 1/8/10 8:06 AM, signatures wrote: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > MyFusion last_seen_users_panel.php settings Parameter Local File > Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; > uricontent:"settings[locale]="; nocase; content:"../"; depth:200; > classtype:web-application-attack; > reference:url,osvdb.org/show/osvdb/56583; > reference:url,www.milw0rm.com/exploits/9018 > ; sid:9642; rev:1;) > > 2. *WEB-ATTACKS iseemedia LPViewer ActiveX Control url method > Buffer Overflow Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > iseemedia LPViewer ActiveX Control url method Buffer Overflow Attempt"; > flow:established,to_client; > content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; content:"url"; > nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; > classtype:web-application-attack; > reference:url,www.kb.cert.org/vuls/id/848873 > ; reference:url,osvdb.org/48946; > sid:9643; rev:1;) > > 3. *WEB-ATTACKS iseemedia LPViewer ActiveX Control toolbar method > Buffer Overflow Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > iseemedia LPViewer ActiveX Control toolbar method Buffer Overflow > Attempt"; flow:established,to_client; > content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; > content:"toolbar"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; > classtype:web-application-attack; > reference:url,www.kb.cert.org/vuls/id/848873 > ; reference:url,osvdb.org/48946; > sid:9644; rev:1;) > > 4. *WEB-ATTACKS iseemedia LPViewer ActiveX Control > enableZoomPastMax method BOF Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > iseemedia LPViewer ActiveX Control enableZoomPastMax method BOF > Attempt"; flow:established,to_client; > content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; nocase; > content:"enableZoomPastMax"; nocase; > pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F0EECCE-E138-11D1-8712-0060083D83F5/si"; > classtype:web-application-attack; > reference:url,www.kb.cert.org/vuls/id/848873 > ; reference:url,osvdb.org/48946; > sid:9645; rev:1;) > > 5. *WEB-ATTACKS WEB-ATTACKS iseemedia LPViewer ActiveX Control BOF > Function call Attempt* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > WEB-ATTACKS iseemedia LPViewer ActiveX Control BOF Function call > Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; > content:"LPViewer.LPViewer.1"; distance:0; nocase; > pcre:"/(url|toolbar|enableZoomPastMax)/i"; > classtype:web-application-attack; > reference:url,www.kb.cert.org/vuls/id/848873 > ; reference:url,osvdb.org/48946; > sid:9646; rev:1;) > > 6. *WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM > SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_jphoto&"; nocase; > uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; > uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; > pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; > reference:bugtraq,37279; sid:9769; rev:1;) > > 7. *WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM > SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_jphoto&"; nocase; > uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; > uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; > pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; > reference:bugtraq,37279; sid:9770; rev:1;) > > 8. *WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT > SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_jphoto&"; nocase; > uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,37279; sid:9771; rev:1;) > > 9. *WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO > SQL Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_jphoto&"; nocase; > uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; > uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; > pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; > reference:bugtraq,37279; sid:9772; rev:1;) > > 10. *WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL > Injection Attempt* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection > Attempt"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?option=com_jphoto&"; nocase; > uricontent:"view=category&"; nocase; uricontent:"Id="; nocase; > uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; > pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; > reference:bugtraq,37279; sid:9773; rev:1;) > -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Jan 8 10:23:29 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 10:23:29 -0500 Subject: [Emerging-Sigs] nginx pdf sig modification to use flowbit In-Reply-To: References: Message-ID: <4B474DF1.3020404@jonkmans.com> Thats worth a try... posting Matt On 1/8/10 9:43 AM, Kevin Ross wrote: > Modified so that it uses the flowbit to limit the traffic it is > inspecting back in. Kev > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET > CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF)"; > flowbits:isset,ET.pdf.request; flow:established,from_server; > content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx"; nocase; > distance:4; within:300; content:"Content-Type|3a| application/pdf"; > nocase; within: 400; content:"Content-Disposition|3a| inline"; nocase; > within: 400; threshold:type limit, seconds 60, count 10, track by_src; > classtype:bad-unknown; > reference:url,doc.emergingthreats.net/bin/view/Main/2009076 > ; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF > ; > sid:2009076; rev:2;) > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Fri Jan 8 10:27:12 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Fri, 8 Jan 2010 09:27:12 -0600 Subject: [Emerging-Sigs] Proposed signature; ICMP scan precursor "@hello ???" Message-ID: <4B474ED0.2040309@packetmail.net> Found an IP trapped in my honeypot from Jan 03 to Jan 07. Over 15M of TCP SYN on TCP 1433, 445, and 139. A total of around 164,828 total SYNs. Not sure if this is a broken scanner or a compromised host. The precursor to the attack was an ICMP echo request with contents "@hello ???": 05:31:03.717734 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, seq 8512, length 17 0x0000: 4500 0025 63a8 0000 7301 a21f d1b0 4c48 E..%c...s.....LH 0x0010: ce52 55c5 0800 118e 0300 2140 6865 6c6c .RU.......!@hell 0x0020: 6f20 3f3f 3f00 0000 0000 5acd 7be1 o.???.....Z.{. 05:31:03.718757 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, seq 9024, length 17 0x0000: 4500 0025 63aa 0000 7301 a21c d1b0 4c48 E..%c...s.....LH 0x0010: ce52 55c6 0800 0f8e 0300 2340 6865 6c6c .RU.......#@hell 0x0020: 6f20 3f3f 3f00 0000 0000 4a20 b920 o.???.....J... 05:31:03.719509 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, seq 8256, length 17 0x0000: 4500 0025 63a7 0000 7301 a221 d1b0 4c48 E..%c...s..!..LH 0x0010: ce52 55c4 0800 128e 0300 2040 6865 6c6c .RU........ at hell 0x0020: 6f20 3f3f 3f00 0000 0000 6b9a c02b o.???.....k..+ 05:31:03.719841 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, seq 9280, length 17 0x0000: 4500 0025 63ab 0000 7301 a21a d1b0 4c48 E..%c...s.....LH 0x0010: ce52 55c7 0800 0e8e 0300 2440 6865 6c6c .RU.......$@hell 0x0020: 6f20 3f3f 3f00 0000 0000 546c f485 o.???.....Tl.. I propose the below signature, as I did not find coverage for this in the current rulesets: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request, precursor to scan"; itype:8; icode:0; content:"@hello ???"; classtype:misc-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_IPTools; sid:2010xxx; rev:1); This may be an isolated incident but visibility into this would be nice. -evilghost From pepperjack at afferentsecurity.com Fri Jan 8 10:45:40 2010 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 8 Jan 2010 09:45:40 -0600 Subject: [Emerging-Sigs] Typo on rule 20010631 Message-ID: <4B475324.7070504@afferentsecurity.com> This sid picked up an extra zero: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Sending Mac Adress"; flow:established,to_server; content:"GET "; depth:4; uricontent:"x="; nocase; uricontent:"&y="; nocase; uricontent:"&z="; nocase; pcre:"/[0-9A-Fa-f]{6}/Ui"; reference:url,doc.emergingthreats.net/20010631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:20010631; rev:2; I think it was supposed to be 2010631. The wiki reference is at http://doc.emergingthreats.net/bin/view/Main/20010631, but not at the expected http://doc.emergingthreats.net/20010631 . Also, do we have any documentation on what this is actually looking for? PCAP samples, etc? The series of six alnum seems a little weak. Perhaps this should be reanchored with an equals sign before the mac addr and a non-alnum after? jp From jonkman at jonkmans.com Fri Jan 8 11:04:24 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 11:04:24 -0500 Subject: [Emerging-Sigs] Typo on rule 20010631 In-Reply-To: <4B475324.7070504@afferentsecurity.com> References: <4B475324.7070504@afferentsecurity.com> Message-ID: <4B475788.7020707@jonkmans.com> Appreciate the note. Dropped it already as it was false positiving anyway. :) Matt On 1/8/10 10:45 AM, Jack Pepper wrote: > This sid picked up an extra zero: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > General Downloader Sending Mac Adress"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"x="; nocase; uricontent:"&y="; > nocase; uricontent:"&z="; nocase; pcre:"/[0-9A-Fa-f]{6}/Ui"; > reference:url,doc.emergingthreats.net/20010631; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; > sid:20010631; rev:2; > > I think it was supposed to be 2010631. The wiki reference is at > http://doc.emergingthreats.net/bin/view/Main/20010631, but not at the > expected http://doc.emergingthreats.net/20010631 . > > Also, do we have any documentation on what this is actually looking > for? PCAP samples, etc? > The series of six alnum seems a little weak. Perhaps this should be > reanchored with an equals sign before the mac addr and a non-alnum after? > > > jp > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Jan 8 11:05:54 2010 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Jan 2010 11:05:54 -0500 Subject: [Emerging-Sigs] Proposed signature; ICMP scan precursor "@hello ???" In-Reply-To: <4B474ED0.2040309@packetmail.net> References: <4B474ED0.2040309@packetmail.net> Message-ID: <4B4757E2.2000404@jonkmans.com> That certainly looks worth a sig. Thanks! matt On 1/8/10 10:27 AM, evilghost at packetmail.net wrote: > Found an IP trapped in my honeypot from Jan 03 to Jan 07. Over 15M of > TCP SYN on TCP 1433, 445, and 139. A total of around 164,828 total > SYNs. Not sure if this is a broken scanner or a compromised host. The > precursor to the attack was an ICMP echo request with contents "@hello ???": > > 05:31:03.717734 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, > seq 8512, length 17 > 0x0000: 4500 0025 63a8 0000 7301 a21f d1b0 4c48 E..%c...s.....LH > 0x0010: ce52 55c5 0800 118e 0300 2140 6865 6c6c .RU.......!@hell > 0x0020: 6f20 3f3f 3f00 0000 0000 5acd 7be1 o.???.....Z.{. > 05:31:03.718757 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, > seq 9024, length 17 > 0x0000: 4500 0025 63aa 0000 7301 a21c d1b0 4c48 E..%c...s.....LH > 0x0010: ce52 55c6 0800 0f8e 0300 2340 6865 6c6c .RU.......#@hell > 0x0020: 6f20 3f3f 3f00 0000 0000 4a20 b920 o.???.....J... > 05:31:03.719509 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, > seq 8256, length 17 > 0x0000: 4500 0025 63a7 0000 7301 a221 d1b0 4c48 E..%c...s..!..LH > 0x0010: ce52 55c4 0800 128e 0300 2040 6865 6c6c .RU........ at hell > 0x0020: 6f20 3f3f 3f00 0000 0000 6b9a c02b o.???.....k..+ > 05:31:03.719841 IP 209.176.76.72 > a.b.c.d: ICMP echo request, id 768, > seq 9280, length 17 > 0x0000: 4500 0025 63ab 0000 7301 a21a d1b0 4c48 E..%c...s.....LH > 0x0010: ce52 55c7 0800 0e8e 0300 2440 6865 6c6c .RU.......$@hell > 0x0020: 6f20 3f3f 3f00 0000 0000 546c f485 o.???.....Tl.. > > I propose the below signature, as I did not find coverage for this in > the current rulesets: > > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello > request, precursor to scan"; itype:8; icode:0; content:"@hello ???"; > classtype:misc-activity; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_IPTools; > sid:2010xxx; rev:1); > > This may be an isolated incident but visibility into this would be nice. > > -evilghost > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From evilghost at packetmail.net Fri Jan 8 11:06:24 2010 From: evilghost at packetmail.net (evilghost@packetmail.net) Date: Fri, 8 Jan 2010 10:06:24 -0600 Subject: [Emerging-Sigs] Typo on rule 20010631 In-Reply-To: <4B475788.7020707@jonkmans.com> References: <4B475324.7070504@afferentsecurity.com> <4B475788.7020707@jonkmans.com> Message-ID: <4B475800.8080005@packetmail.net> Yes, we had to disable it here as well. Falsing heavily. Matt Jonkman wrote: > Appreciate the note. Dropped it already as it was false positiving > anyway. :) > > Matt > > On 1/8/10 10:45 AM, Jack Pepper wrote: > >> This sid picked up an extra zero: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> General Downloader Sending Mac Adress"; flow:established,to_server; >> content:"GET "; depth:4; uricontent:"x="; nocase; uricontent:"&y="; >> nocase; uricontent:"&z="; nocase; pcre:"/[0-9A-Fa-f]{6}/Ui"; >> reference:url,doc.emergingthreats.net/20010631; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; >> sid:20010631; rev:2; >> >> I think it was supposed to be 2010631. The wiki reference is at >> http://doc.emergingthreats.net/bin/view/Main/20010631, but not at the >> expected http://doc.emergingthreats.net/20010631 . >> >> Also, do we have any documentation on what this is actually looking >> for? PCAP samples, etc? >> The series of six alnum seems a little weak. Perhaps this should be >> reanchored with an equals sign before the mac addr and a non-alnum after? >> >> >> jp >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From mike.cox52 at gmail.com Fri Jan 8 15:37:47 2010 From: mike.cox52 at gmail.com (Mike Cox) Date: Fri, 8 Jan 2010 14:37:47 -0600 Subject: [Emerging-Sigs] UTF-8/UTF-16 URI encoded shellcode rules Message-ID: <6116b9e21001081237s44610039w2aa74124425f2cde@mail.gmail.com> SIDs 2003173 and 2003174, designed to detect UTF-8 and UTF-16 URI encoded shellcode, only have a raw pcre match and no content so they are not performing well for my sensor that monitors web traffic. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; pcre:"/(%U([0-9a-f]{2})){6}/i"; classtype:trojan-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2003173; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003173; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; pcre:"/(%U([0-9a-f]{4})){6}/i"; classtype:trojan-activity; reference:url, doc.emergingthreats.net/bin/view/Main/2003174; reference:url, www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003174; rev:5;) Can we do anything to improve performance? Will looking for more than 6 encoded values help or hurt the pcre? I'm guessing most worthwhile shellcode is longer than 6. Are these rules providing people value b/c I just get false positives from time to time thanks to uri encoding and poorly written Web 2.0 bloatware. Thanks. -Mike Cox -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/31f52360/attachment.html From emerging at emergingthreats.net Fri Jan 8 16:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 8 Jan 2010 16:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100108210013.9913745050@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Jan 8 16:00:13 2010 [***] [+++] Added rules: [+++] 2010630 - ET MALWARE Generic Adware Install Report (emerging-malware.rules) 2010631 - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt (emerging-web_specific_apps.rules) 2010636 - WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010637 - WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010638 - WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010639 - WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010640 - WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010641 - ET SCAN ICMP @hello request, Likely Precursor to Scan (emerging-scan.rules) [///] Modified active rules: [///] 2006434 - ET POLICY Possible Ecard Trojan download (emerging-policy.rules) 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging-current_events.rules) 2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) (emerging-web_server.rules) 2010593 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) (emerging-web_server.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-current_events.rules (1): #by Paul Dokas. Testing this out for a bit..., modified by kevin ross -> Added to emerging-malware.rules (1): #by pedro Marinho -> Added to emerging-sid-msg.map (22): 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || cve,2009-4444 || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || cve,2009-4444 || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info 2010630 || ET MALWARE Generic Adware Install Report || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command || url,doc.emergingthreats.net/2010630 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37279 2010637 || WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37279 2010638 || WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37279 2010639 || WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37279 2010640 || WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan 2500570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (22): 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || cve,2009-4444 || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || cve,2009-4444 || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info 2010630 || ET MALWARE Generic Adware Install Report || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command || url,doc.emergingthreats.net/2010630 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37279 2010637 || WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37279 2010638 || WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37279 2010639 || WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37279 2010640 || WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan 2500570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-current_events.rules (1): #by Paul Dokas. Testing this out for a bit... -> Removed from emerging-sid-msg.map (2): 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info -> Removed from emerging-sid-msg.map.txt (2): 2010592 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info 2010593 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || url,www.securityfocus.com/bid/37460/info || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info From kevross33 at googlemail.com Fri Jan 8 18:36:07 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 23:36:07 +0000 Subject: [Emerging-Sigs] SIG:Windows Live Messenger ViewProfile Buffer Overflow Message-ID: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Windows Live Messenger ViewProfile() Method ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37680/info; sid:17000001; rev:1;) Kev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/b6496d54/attachment.html From kevross33 at googlemail.com Fri Jan 8 18:40:27 2010 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 8 Jan 2010 23:40:27 +0000 Subject: [Emerging-Sigs] UTF-8/UTF-16 URI encoded shellcode rules In-Reply-To: <6116b9e21001081237s44610039w2aa74124425f2cde@mail.gmail.com> References: <6116b9e21001081237s44610039w2aa74124425f2cde@mail.gmail.com> Message-ID: Perhaps disable them by default if they FP a lot? A content match like content:"%u"; nocase; http_body; might help? No idea what else though, I think though they have value. 2010/1/8 Mike Cox > SIDs 2003173 and 2003174, designed to detect UTF-8 and UTF-16 URI encoded > shellcode, only have a raw pcre match and no content so they are not > performing well for my sensor that monitors web traffic. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; > pcre:"/(%U([0-9a-f]{2})){6}/i"; classtype:trojan-activity; reference:url, > doc.emergingthreats.net/bin/view/Main/2003173; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; > sid:2003173; rev:5;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT > Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; > pcre:"/(%U([0-9a-f]{4})){6}/i"; classtype:trojan-activity; reference:url, > doc.emergingthreats.net/bin/view/Main/2003174; reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; > sid:2003174; rev:5;) > > Can we do anything to improve performance? Will looking for more than 6 > encoded values help or hurt the pcre? I'm guessing most worthwhile > shellcode is longer than 6. Are these rules providing people value b/c I > just get false positives from time to time thanks to uri encoding and poorly > written Web 2.0 bloatware. > > Thanks. > > -Mike Cox > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100108/4c4449a3/attachment-0001.html From r.fulton at auckland.ac.nz Sat Jan 9 05:05:35 2010 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Sat, 9 Jan 2010 23:05:35 +1300 Subject: [Emerging-Sigs] ET TROJAN Generic Dropper Post (FarmTime var) 2010451 -- appears to be a game Message-ID: <2EB737B0-4D7C-418F-9040-9521026658AD@auckland.ac.nz> Hmmm... this seems to be a game rather than malware ??? Russell From emerging at emergingthreats.net Sat Jan 9 16:00:14 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 9 Jan 2010 16:00:14 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20100109210014.0CC264504E@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 9 16:00:13 2010 [***] [///] Modified active rules: [///] 2010348 - ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download (emerging-virus.rules) 2010631 - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt (emerging-web_specific_apps.rules) 2010636 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010637 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010638 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010639 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010640 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010641 - ET SCAN ICMP @hello request, Likely Precursor to Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (11): 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_MyFusion || url,doc.emergingthreats.net/2010631 || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010636 || bugtraq,37279 2010637 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010637 || bugtraq,37279 2010638 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010638 || bugtraq,37279 2010639 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010639 || bugtraq,37279 2010640 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010640 || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_hello || url,doc.emergingthreats.net/2010641 2500576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (11): 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_MyFusion || url,doc.emergingthreats.net/2010631 || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010636 || bugtraq,37279 2010637 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010637 || bugtraq,37279 2010638 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010638 || bugtraq,37279 2010639 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010639 || bugtraq,37279 2010640 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Joomla || url,doc.emergingthreats.net/2010640 || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_hello || url,doc.emergingthreats.net/2010641 2500576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (7): 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37279 2010637 || WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37279 2010638 || WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37279 2010639 || WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37279 2010640 || WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan -> Removed from emerging-sid-msg.map.txt (7): 2010631 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,www.milw0rm.com/exploits/9018 || url,osvdb.org/show/osvdb/56583 2010636 || WEB-PHP Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37279 2010637 || WEB-PHP Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37279 2010638 || WEB-PHP Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37279 2010639 || WEB-PHP Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37279 2010640 || WEB-PHP Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37279 2010641 || ET SCAN ICMP @hello request, Likely Precursor to Scan From emerging at emergingthreats.net Sat Jan 9 18:00:13 2010 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 9 Jan 2010 18:00:13 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20100109230013.8E6BE4502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 9 18:00:13 2010 [***] [+++] Added rules: [+++] 2001686 - ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt (emerging-web_specific_apps.rules) 2009096 - ET TROJAN Tigger.a/Syzor Control Checkin (emerging-virus.rules) 2010560 - ET WEB_CLIENT Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 (emerging-web_client.rules) 2010604 - ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt (emerging-web_specific_apps.rules) 2010605 - ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt (emerging-web_specific_apps.rules) 2010606 - ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt (emerging-web_specific_apps.rules) 2010607 - ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt (emerging-web_specific_apps.rules) 2010608 - ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt (emerging-web_specific_apps.rules) 2010609 - ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt (emerging-web_specific_apps.rules) 2010610 - ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt (emerging-web_specific_apps.rules) 2010611 - ET WEB_CLIENT HP Openview NNM ActiveX DisplayName method Memory corruption Attempt (emerging-web_client.rules) 2010612 - ET WEB_CLIENT HP Openview NNM ActiveX AddGroup method Memory corruption Attempt (emerging-web_client.rules) 2010613 - ET WEB_CLIENT HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt (emerging-web_client.rules) 2010614 - ET WEB_CLIENT HP Openview NNM ActiveX Subscribe method Memory corruption Attempt (emerging-web_client.rules) 2010615 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010616 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010617 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010618 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010619 - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010620 - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules) 2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) (emerging-web_server.rules) 2010622 - ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt (emerging-web_server.rules) 2010623 - ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt (emerging-web_server.rules) 2010624 - ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets) (emerging-current_events.rules) 2010625 - ET TROJAN FakeAV Landing Page (aid,sid) (emerging-virus.rules) 2010626 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) 2010627 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) 2010628 - ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin (emerging-virus.rules) 2010629 - ET CURRENT_EVENTS MySpace Spam Inbound (emerging-current_events.rules) 2010630 - ET MALWARE Generic Adware Install Report (emerging-malware.rules) 2010631 - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt (emerging-web_specific_apps.rules) 2010636 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010637 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt (emerging-web_specific_apps.rules) 2010638 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt (emerging-web_specific_apps.rules) 2010639 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt (emerging-web_specific_apps.rules) 2010640 - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt (emerging-web_specific_apps.rules) 2010641 - ET SCAN ICMP @hello request, Likely Precursor to Scan (emerging-scan.rules) 2404028 - ET DROP Known Bot C&C Server Traffic TCP (group 15) (emerging-botcc.rules) 2404029 - ET DROP Known Bot C&C Server Traffic UDP (group 15) (emerging-botcc.rules) 2404030 - ET DROP Known Bot C&C Server Traffic TCP (group 16) (emerging-botcc.rules) 2404031 - ET DROP Known Bot C&C Server Traffic UDP (group 16) (emerging-botcc.rules) 2404032 - ET DROP Known Bot C&C Server Traffic TCP (group 17) (emerging-botcc.rules) 2404033 - ET DROP Known Bot C&C Server Traffic UDP (group 17) (emerging-botcc.rules) 2404034 - ET DROP Known Bot C&C Server Traffic TCP (group 18) (emerging-botcc.rules) 2404035 - ET DROP Known Bot C&C Server Traffic UDP (group 18) (emerging-botcc.rules) 2404036 - ET DROP Known Bot C&C Server Traffic TCP (group 19) (emerging-botcc.rules) 2404037 - ET DROP Known Bot C&C Server Traffic UDP (group 19) (emerging-botcc.rules) 2404038 - ET DROP Known Bot C&C Server Traffic TCP (group 20) (emerging-botcc.rules) 2404039 - ET DROP Known Bot C&C Server Traffic UDP (group 20) (emerging-botcc.rules) 2404040 - ET DROP Known Bot C&C Server Traffic TCP (group 21) (emerging-botcc.rules) 2404041 - ET DROP Known Bot C&C Server Traffic UDP (group 21) (emerging-botcc.rules) 2404042 - ET DROP Known Bot C&C Server Traffic TCP (group 22) (emerging-botcc.rules) 2404043 - ET DROP Known Bot C&C Server Traffic UDP (group 22) (emerging-botcc.rules) 2404044 - ET DROP Known Bot C&C Server Traffic TCP (group 23) (emerging-botcc.rules) 2404045 - ET DROP Known Bot C&C Server Traffic UDP (group 23) (emerging-botcc.rules) 2404046 - ET DROP Known Bot C&C Server Traffic TCP (group 24) (emerging-botcc.rules) 2404047 - ET DROP Known Bot C&C Server Traffic UDP (group 24) (emerging-botcc.rules) 2404048 - ET DROP Known Bot C&C Server Traffic TCP (group 25) (emerging-botcc.rules) 2404049 - ET DROP Known Bot C&C Server Traffic UDP (group 25) (emerging-botcc.rules) 2404050 - ET DROP Known Bot C&C Server Traffic TCP (group 26) (emerging-botcc.rules) 2404051 - ET DROP Known Bot C&C Server Traffic UDP (group 26) (emerging-botcc.rules) 2404052 - ET DROP Known Bot C&C Server Traffic TCP (group 27) (emerging-botcc.rules) 2404053 - ET DROP Known Bot C&C Server Traffic UDP (group 27) (emerging-botcc.rules) 2405028 - ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405029 - ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405030 - ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405031 - ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405032 - ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405033 - ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405034 - ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405035 - ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405036 - ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405037 - ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405038 - ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405039 - ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405040 - ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405041 - ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405042 - ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405043 - ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405044 - ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405045 - ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405046 - ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405047 - ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405048 - ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405049 - ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405050 - ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405051 - ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405052 - ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405053 - ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Enabled and modified rules: [+++] 2008417 - ET SCAN Wapiti Web Server Vulnerability Scan (emerging-scan.rules) [///] Modified active rules: [///] 2006434 - ET POLICY Possible Ecard Trojan download (emerging-policy.rules) 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging-current_events.rules) 2010348 - ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download (emerging-virus.rules) 2010565 - ET TROJAN Bebloh C&C HTTP POST (emerging-virus.rules) 2010566 - ET CURRENT_EVENTS Zbot update (av_base/pay.php) (emerging-current_events.rules) 2010567 - ET CURRENT_EVENTS Zbot update (av_base/ip.php) (emerging-current_events.rules) 2010568 - ET CURRENT_EVENTS Zbot update (av-i386-daily.zip) (emerging-current_events.rules) 2010569 - ET TROJAN Trojan Downloader Win32/Small.CBA download (emerging-virus.rules) 2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) (emerging-web_server.rules) 2010593 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) (emerging-web_server.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic TCP (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic UDP (group 1) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic TCP (group 2) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic UDP (group 2) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic TCP (group 3) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic UDP (group 3) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic TCP (group 4) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic UDP (group 4) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic TCP (group 5) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic UDP (group 5) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic TCP (group 6) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic UDP (group 6) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic TCP (group 7) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic UDP (group 7) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic TCP (group 8) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic UDP (group 8) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic TCP (group 9) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic UDP (group 9) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic TCP (group 10) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic UDP (group 10) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic TCP (group 11) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic UDP (group 11) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic TCP (group 12) (emerging-botcc.rules) 2404023 - ET DROP Known Bot C&C Server Traffic UDP (group 12) (emerging-botcc.rules) 2404024 - ET DROP Known Bot C&C Server Traffic TCP (group 13) (emerging-botcc.rules) 2404025 - ET DROP Known Bot C&C Server Traffic UDP (group 13) (emerging-botcc.rules) 2404026 - ET DROP Known Bot C&C Server Traffic TCP (group 14) (emerging-botcc.rules) 2404027 - ET DROP Known Bot C&C Server Traffic UDP (group 14) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405023 - ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405024 - ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405025 - ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405026 - ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405027 - ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network IP TCP (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network IP UDP (1) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network IP TCP (2) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network IP UDP (2) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network IP TCP (3) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network IP UDP (3) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network IP TCP (4) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network IP UDP (4) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network IP TCP (5) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network IP UDP (5) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network IP TCP (6) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network IP UDP (6) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network IP TCP (7) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network IP UDP (7) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network IP TCP (8) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network IP UDP (8) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network IP TCP (9) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network IP UDP (9) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network IP TCP (10) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network IP UDP (10) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network IP TCP (11) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network IP UDP (11) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network IP TCP (12) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network IP UDP (12) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network IP TCP (13) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network IP UDP (13) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network IP TCP (14) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network IP UDP (14) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network IP TCP (15) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network IP UDP (15) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network IP TCP (16) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network IP UDP (16) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network IP TCP (17) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network IP UDP (17) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network IP TCP (18) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network IP UDP (18) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network IP TCP (19) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network IP UDP (19) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network IP TCP (20) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network IP UDP (20) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network IP TCP (21) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network IP UDP (21) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network IP TCP (22) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network IP UDP (22) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network IP TCP (23) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network IP UDP (23) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network IP TCP (24) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network IP UDP (24) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network IP TCP (25) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network IP UDP (25) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network IP TCP (26) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network IP UDP (26) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network IP TCP (27) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network IP UDP (27) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network IP TCP (28) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network IP UDP (28) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network IP TCP (29) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network IP UDP (29) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network IP TCP (30) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network IP UDP (30) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network IP TCP (31) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network IP UDP (31) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network IP TCP (32) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network IP UDP (32) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network IP TCP (33) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network IP UDP (33) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network IP TCP (34) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network IP UDP (34) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network IP TCP (35) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network IP UDP (35) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network IP TCP (36) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network IP UDP (36) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network IP TCP (37) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network IP UDP (37) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network IP TCP (38) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network IP UDP (38) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network IP TCP (39) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network IP UDP (39) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network IP TCP (40) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network IP UDP (40) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network IP TCP (41) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network IP UDP (41) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network IP TCP (42) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network IP UDP (42) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network IP TCP (43) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network IP UDP (43) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network IP TCP (44) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network IP UDP (44) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network IP TCP (45) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network IP UDP (45) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network IP TCP (46) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network IP UDP (46) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network IP TCP (47) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network IP UDP (47) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network IP TCP (48) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network IP UDP (48) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network IP TCP (49) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network IP UDP (49) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network IP TCP (50) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network IP UDP (50) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network IP TCP (51) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network IP UDP (51) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network IP TCP (52) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network IP UDP (52) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network IP TCP (53) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network IP UDP (53) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network IP TCP (54) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network IP UDP (54) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network IP TCP (55) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network IP UDP (55) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network IP TCP (56) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network IP UDP (56) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network IP TCP (57) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network IP UDP (57) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network IP TCP (58) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network IP UDP (58) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network IP TCP (59) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network IP UDP (59) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network IP TCP (60) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network IP UDP (60) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network IP TCP (61) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network IP UDP (61) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network IP TCP (62) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network IP UDP (62) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network IP TCP (63) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network IP UDP (63) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network IP TCP (64) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network IP UDP (64) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network IP TCP (65) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network IP UDP (65) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network IP TCP (66) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network IP UDP (66) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network IP TCP (67) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network IP UDP (67) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network IP TCP (68) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network IP UDP (68) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network IP TCP (69) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network IP UDP (69) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network IP TCP (70) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network IP UDP (70) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network IP TCP (71) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network IP UDP (71) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network IP TCP (72) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network IP UDP (72) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network IP TCP (73) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network IP UDP (73) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network IP TCP (74) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network IP UDP (74) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network IP TCP (75) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network IP UDP (75) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network IP TCP (76) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network IP UDP (76) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network IP TCP (77) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network IP UDP (77) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network IP TCP (78) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network IP UDP (78) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network IP TCP (79) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network IP UDP (79) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network IP TCP (80) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network IP UDP (80) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network IP TCP (81) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network IP UDP (81) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network IP TCP (82) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network IP UDP (82) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network IP TCP (83) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network IP UDP (83) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network IP TCP (84) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network IP UDP (84) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network IP TCP (85) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network IP UDP (85) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network IP TCP (86) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network IP UDP (86) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network IP TCP (87) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network IP UDP (87) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network IP TCP (88) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network IP UDP (88) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network IP TCP (89) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network IP UDP (89) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network IP TCP (90) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network IP UDP (90) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network IP TCP (91) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network IP UDP (91) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network IP TCP (92) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network IP UDP (92) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network IP TCP (93) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network IP UDP (93) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network IP TCP (94) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network IP UDP (94) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network IP TCP (95) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network IP UDP (95) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network IP TCP (96) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network IP UDP (96) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network IP TCP (97) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network IP UDP (97) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network IP TCP (98) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network IP UDP (98) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network IP TCP (99) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network IP UDP (99) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network IP TCP (100) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network IP UDP (100) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network IP TCP (101) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network IP UDP (101) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network IP TCP (102) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network IP UDP (102) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network IP TCP (103) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network IP UDP (103) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network IP TCP (104) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network IP UDP (104) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network IP TCP (105) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network IP UDP (105) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network IP TCP (106) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network IP UDP (106) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network IP TCP (107) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network IP UDP (107) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network IP TCP (108) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network IP UDP (108) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network IP TCP (109) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network IP UDP (109) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network IP TCP (110) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network IP UDP (110) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network IP TCP (111) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network IP UDP (111) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network IP TCP (112) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network IP UDP (112) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network IP TCP (113) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network IP UDP (113) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network IP TCP (114) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network IP UDP (114) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network IP TCP (115) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network IP UDP (115) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network IP TCP (116) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network IP UDP (116) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network IP TCP (117) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network IP UDP (117) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network IP TCP (118) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network IP UDP (118) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network IP TCP (119) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network IP UDP (119) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network IP TCP (120) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network IP UDP (120) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network IP TCP (121) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network IP UDP (121) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network IP TCP (122) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network IP UDP (122) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network IP TCP (123) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network IP UDP (123) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network IP TCP (124) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network IP UDP (124) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network IP TCP (125) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network IP UDP (125) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network IP TCP (126) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network IP UDP (126) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network IP TCP (127) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network IP UDP (127) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network IP TCP (128) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network IP UDP (128) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network IP TCP (129) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network IP UDP (129) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network IP TCP (130) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network IP UDP (130) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network IP TCP (131) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network IP UDP (131) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network IP TCP (132) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network IP UDP (132) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network IP TCP (133) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network IP UDP (133) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network IP TCP (134) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network IP UDP (134) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network IP TCP (135) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network IP UDP (135) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network IP TCP (136) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network IP UDP (136) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network IP TCP (137) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network IP UDP (137) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network IP TCP (138) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network IP UDP (138) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network IP TCP (139) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network IP UDP (139) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network IP TCP (140) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network IP UDP (140) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network IP TCP (141) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network IP UDP (141) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network IP TCP (142) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network IP UDP (142) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network IP TCP (143) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network IP UDP (143) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network IP TCP (144) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network IP UDP (144) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network IP TCP (145) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network IP UDP (145) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network IP TCP (146) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network IP UDP (146) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network IP TCP (147) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network IP UDP (147) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network IP TCP (148) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network IP UDP (148) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network IP TCP (149) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network IP UDP (149) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network IP TCP (150) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network IP UDP (150) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network IP TCP (151) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network IP UDP (151) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network IP TCP (152) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network IP UDP (152) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network IP TCP (153) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network IP UDP (153) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network IP TCP (154) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network IP UDP (154) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network IP TCP (155) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network IP UDP (155) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network IP TCP (156) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network IP UDP (156) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network IP TCP (157) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network IP UDP (157) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network IP TCP (158) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network IP UDP (158) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network IP TCP (159) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network IP UDP (159) (emerging-rbn.rules) 2406318 - ET RBN Known Russian Business Network IP TCP (160) (emerging-rbn.rules) 2406319 - ET RBN Known Russian Business Network IP UDP (160) (emerging-rbn.rules) 2406320 - ET RBN Known Russian Business Network IP TCP (161) (emerging-rbn.rules) 2406321 - ET RBN Known Russian Business Network IP UDP (161) (emerging-rbn.rules) 2406322 - ET RBN Known Russian Business Network IP TCP (162) (emerging-rbn.rules) 2406323 - ET RBN Known Russian Business Network IP UDP (162) (emerging-rbn.rules) 2406324 - ET RBN Known Russian Business Network IP TCP (163) (emerging-rbn.rules) 2406325 - ET RBN Known Russian Business Network IP UDP (163) (emerging-rbn.rules) 2406326 - ET RBN Known Russian Business Network IP TCP (164) (emerging-rbn.rules) 2406327 - ET RBN Known Russian Business Network IP UDP (164) (emerging-rbn.rules) 2406328 - ET RBN Known Russian Business Network IP TCP (165) (emerging-rbn.rules) 2406329 - ET RBN Known Russian Business Network IP UDP (165) (emerging-rbn.rules) 2406330 - ET RBN Known Russian Business Network IP TCP (166) (emerging-rbn.rules) 2406331 - ET RBN Known Russian Business Network IP UDP (166) (emerging-rbn.rules) 2406332 - ET RBN Known Russian Business Network IP TCP (167) (emerging-rbn.rules) 2406333 - ET RBN Known Russian Business Network IP UDP (167) (emerging-rbn.rules) 2406334 - ET RBN Known Russian Business Network IP TCP (168) (emerging-rbn.rules) 2406335 - ET RBN Known Russian Business Network IP UDP (168) (emerging-rbn.rules) 2406336 - ET RBN Known Russian Business Network IP TCP (169) (emerging-rbn.rules) 2406337 - ET RBN Known Russian Business Network IP UDP (169) (emerging-rbn.rules) 2406338 - ET RBN Known Russian Business Network IP TCP (170) (emerging-rbn.rules) 2406339 - ET RBN Known Russian Business Network IP UDP (170) (emerging-rbn.rules) 2406340 - ET RBN Known Russian Business Network IP TCP (171) (emerging-rbn.rules) 2406341 - ET RBN Known Russian Business Network IP UDP (171) (emerging-rbn.rules) 2406342 - ET RBN Known Russian Business Network IP TCP (172) (emerging-rbn.rules) 2406343 - ET RBN Known Russian Business Network IP UDP (172) (emerging-rbn.rules) 2406344 - ET RBN Known Russian Business Network IP TCP (173) (emerging-rbn.rules) 2406345 - ET RBN Known Russian Business Network IP UDP (173) (emerging-rbn.rules) 2406346 - ET RBN Known Russian Business Network IP TCP (174) (emerging-rbn.rules) 2406347 - ET RBN Known Russian Business Network IP UDP (174) (emerging-rbn.rules) 2406348 - ET RBN Known Russian Business Network IP TCP (175) (emerging-rbn.rules) 2406349 - ET RBN Known Russian Business Network IP UDP (175) (emerging-rbn.rules) 2406350 - ET RBN Known Russian Business Network IP TCP (176) (emerging-rbn.rules) 2406351 - ET RBN Known Russian Business Network IP UDP (176) (emerging-rbn.rules) 2406352 - ET RBN Known Russian Business Network IP TCP (177) (emerging-rbn.rules) 2406353 - ET RBN Known Russian Business Network IP UDP (177) (emerging-rbn.rules) 2406354 - ET RBN Known Russian Business Network IP TCP (178) (emerging-rbn.rules) 2406355 - ET RBN Known Russian Business Network IP UDP (178) (emerging-rbn.rules) 2406356 - ET RBN Known Russian Business Network IP TCP (179) (emerging-rbn.rules) 2406357 - ET RBN Known Russian Business Network IP UDP (179) (emerging-rbn.rules) 2406358 - ET RBN Known Russian Business Network IP TCP (180) (emerging-rbn.rules) 2406359 - ET RBN Known Russian Business Network IP UDP (180) (emerging-rbn.rules) 2406360 - ET RBN Known Russian Business Network IP TCP (181) (emerging-rbn.rules) 2406361 - ET RBN Known Russian Business Network IP UDP (181) (emerging-rbn.rules) 2406362 - ET RBN Known Russian Business Network IP TCP (182) (emerging-rbn.rules) 2406363 - ET RBN Known Russian Business Network IP UDP (182) (emerging-rbn.rules) 2406364 - ET RBN Known Russian Business Network IP TCP (183) (emerging-rbn.rules) 2406365 - ET RBN Known Russian Business Network IP UDP (183) (emerging-rbn.rules) 2406366 - ET RBN Known Russian Business Network IP TCP (184) (emerging-rbn.rules) 2406367 - ET RBN Known Russian Business Network IP UDP (184) (emerging-rbn.rules) 2406368 - ET RBN Known Russian Business Network IP TCP (185) (emerging-rbn.rules) 2406369 - ET RBN Known Russian Business Network IP UDP (185) (emerging-rbn.rules) 2406370 - ET RBN Known Russian Business Network IP TCP (186) (emerging-rbn.rules) 2406371 - ET RBN Known Russian Business Network IP UDP (186) (emerging-rbn.rules) 2406372 - ET RBN Known Russian Business Network IP TCP (187) (emerging-rbn.rules) 2406373 - ET RBN Known Russian Business Network IP UDP (187) (emerging-rbn.rules) 2406374 - ET RBN Known Russian Business Network IP TCP (188) (emerging-rbn.rules) 2406375 - ET RBN Known Russian Business Network IP UDP (188) (emerging-rbn.rules) 2406376 - ET RBN Known Russian Business Network IP TCP (189) (emerging-rbn.rules) 2406377 - ET RBN Known Russian Business Network IP UDP (189) (emerging-rbn.rules) 2406378 - ET RBN Known Russian Business Network IP TCP (190) (emerging-rbn.rules) 2406379 - ET RBN Known Russian Business Network IP UDP (190) (emerging-rbn.rules) 2406380 - ET RBN Known Russian Business Network IP TCP (191) (emerging-rbn.rules) 2406381 - ET RBN Known Russian Business Network IP UDP (191) (emerging-rbn.rules) 2406382 - ET RBN Known Russian Business Network IP TCP (192) (emerging-rbn.rules) 2406383 - ET RBN Known Russian Business Network IP UDP (192) (emerging-rbn.rules) 2406384 - ET RBN Known Russian Business Network IP TCP (193) (emerging-rbn.rules) 2406385 - ET RBN Known Russian Business Network IP UDP (193) (emerging-rbn.rules) 2406386 - ET RBN Known Russian Business Network IP TCP (194) (emerging-rbn.rules) 2406387 - ET RBN Known Russian Business Network IP UDP (194) (emerging-rbn.rules) 2406388 - ET RBN Known Russian Business Network IP TCP (195) (emerging-rbn.rules) 2406389 - ET RBN Known Russian Business Network IP UDP (195) (emerging-rbn.rules) 2406390 - ET RBN Known Russian Business Network IP TCP (196) (emerging-rbn.rules) 2406391 - ET RBN Known Russian Business Network IP UDP (196) (emerging-rbn.rules) 2406392 - ET RBN Known Russian Business Network IP TCP (197) (emerging-rbn.rules) 2406393 - ET RBN Known Russian Business Network IP UDP (197) (emerging-rbn.rules) 2406394 - ET RBN Known Russian Business Network IP TCP (198) (emerging-rbn.rules) 2406395 - ET RBN Known Russian Business Network IP UDP (198) (emerging-rbn.rules) 2406396 - ET RBN Known Russian Business Network IP TCP (199) (emerging-rbn.rules) 2406397 - ET RBN Known Russian Business Network IP UDP (199) (emerging-rbn.rules) 2406398 - ET RBN Known Russian Business Network IP TCP (200) (emerging-rbn.rules) 2406399 - ET RBN Known Russian Business Network IP UDP (200) (emerging-rbn.rules) 2406400 - ET RBN Known Russian Business Network IP TCP (201) (emerging-rbn.rules) 2406401 - ET RBN Known Russian Business Network IP UDP (201) (emerging-rbn.rules) 2406402 - ET RBN Known Russian Business Network IP TCP (202) (emerging-rbn.rules) 2406403 - ET RBN Known Russian Business Network IP UDP (202) (emerging-rbn.rules) 2406404 - ET RBN Known Russian Business Network IP TCP (203) (emerging-rbn.rules) 2406405 - ET RBN Known Russian Business Network IP UDP (203) (emerging-rbn.rules) 2406406 - ET RBN Known Russian Business Network IP TCP (204) (emerging-rbn.rules) 2406407 - ET RBN Known Russian Business Network IP UDP (204) (emerging-rbn.rules) 2406408 - ET RBN Known Russian Business Network IP TCP (205) (emerging-rbn.rules) 2406409 - ET RBN Known Russian Business Network IP UDP (205) (emerging-rbn.rules) 2406410 - ET RBN Known Russian Business Network IP TCP (206) (emerging-rbn.rules) 2406411 - ET RBN Known Russian Business Network IP UDP (206) (emerging-rbn.rules) 2406412 - ET RBN Known Russian Business Network IP TCP (207) (emerging-rbn.rules) 2406413 - ET RBN Known Russian Business Network IP UDP (207) (emerging-rbn.rules) 2406414 - ET RBN Known Russian Business Network IP TCP (208) (emerging-rbn.rules) 2406415 - ET RBN Known Russian Business Network IP UDP (208) (emerging-rbn.rules) 2406416 - ET RBN Known Russian Business Network IP TCP (209) (emerging-rbn.rules) 2406417 - ET RBN Known Russian Business Network IP UDP (209) (emerging-rbn.rules) 2406418 - ET RBN Known Russian Business Network IP TCP (210) (emerging-rbn.rules) 2406419 - ET RBN Known Russian Business Network IP UDP (210) (emerging-rbn.rules) 2406420 - ET RBN Known Russian Business Network IP TCP (211) (emerging-rbn.rules) 2406421 - ET RBN Known Russian Business Network IP UDP (211) (emerging-rbn.rules) 2406422 - ET RBN Known Russian Business Network IP TCP (212) (emerging-rbn.rules) 2406423 - ET RBN Known Russian Business Network IP UDP (212) (emerging-rbn.rules) 2406424 - ET RBN Known Russian Business Network IP TCP (213) (emerging-rbn.rules) 2406425 - ET RBN Known Russian Business Network IP UDP (213) (emerging-rbn.rules) 2406426 - ET RBN Known Russian Business Network IP TCP (214) (emerging-rbn.rules) 2406427 - ET RBN Known Russian Business Network IP UDP (214) (emerging-rbn.rules) 2406428 - ET RBN Known Russian Business Network IP TCP (215) (emerging-rbn.rules) 2406429 - ET RBN Known Russian Business Network IP UDP (215) (emerging-rbn.rules) 2406430 - ET RBN Known Russian Business Network IP TCP (216) (emerging-rbn.rules) 2406431 - ET RBN Known Russian Business Network IP UDP (216) (emerging-rbn.rules) 2406432 - ET RBN Known Russian Business Network IP TCP (217) (emerging-rbn.rules) 2406433 - ET RBN Known Russian Business Network IP UDP (217) (emerging-rbn.rules) 2406434 - ET RBN Known Russian Business Network IP TCP (218) (emerging-rbn.rules) 2406435 - ET RBN Known Russian Business Network IP UDP (218) (emerging-rbn.rules) 2406436 - ET RBN Known Russian Business Network IP TCP (219) (emerging-rbn.rules) 2406437 - ET RBN Known Russian Business Network IP UDP (219) (emerging-rbn.rules) 2406438 - ET RBN Known Russian Business Network IP TCP (220) (emerging-rbn.rules) 2406439 - ET RBN Known Russian Business Network IP UDP (220) (emerging-rbn.rules) 2406440 - ET RBN Known Russian Business Network IP TCP (221) (emerging-rbn.rules) 2406441 - ET RBN Known Russian Business Network IP UDP (221) (emerging-rbn.rules) 2406442 - ET RBN Known Russian Business Network IP TCP (222) (emerging-rbn.rules) 2406443 - ET RBN Known Russian Business Network IP UDP (222) (emerging-rbn.rules) 2406444 - ET RBN Known Russian Business Network IP TCP (223) (emerging-rbn.rules) 2406445 - ET RBN Known Russian Business Network IP UDP (223) (emerging-rbn.rules) 2406446 - ET RBN Known Russian Business Network IP TCP (224) (emerging-rbn.rules) 2406447 - ET RBN Known Russian Business Network IP UDP (224) (emerging-rbn.rules) 2406448 - ET RBN Known Russian Business Network IP TCP (225) (emerging-rbn.rules) 2406449 - ET RBN Known Russian Business Network IP UDP (225) (emerging-rbn.rules) 2406450 - ET RBN Known Russian Business Network IP TCP (226) (emerging-rbn.rules) 2406451 - ET RBN Known Russian Business Network IP UDP (226) (emerging-rbn.rules) 2406452 - ET RBN Known Russian Business Network IP TCP (227) (emerging-rbn.rules) 2406453 - ET RBN Known Russian Business Network IP UDP (227) (emerging-rbn.rules) 2406454 - ET RBN Known Russian Business Network IP TCP (228) (emerging-rbn.rules) 2406455 - ET RBN Known Russian Business Network IP UDP (228) (emerging-rbn.rules) 2406456 - ET RBN Known Russian Business Network IP TCP (229) (emerging-rbn.rules) 2406457 - ET RBN Known Russian Business Network IP UDP (229) (emerging-rbn.rules) 2406458 - ET RBN Known Russian Business Network IP TCP (230) (emerging-rbn.rules) 2406459 - ET RBN Known Russian Business Network IP UDP (230) (emerging-rbn.rules) 2406460 - ET RBN Known Russian Business Network IP TCP (231) (emerging-rbn.rules) 2406461 - ET RBN Known Russian Business Network IP UDP (231) (emerging-rbn.rules) 2406462 - ET RBN Known Russian Business Network IP TCP (232) (emerging-rbn.rules) 2406463 - ET RBN Known Russian Business Network IP UDP (232) (emerging-rbn.rules) 2406464 - ET RBN Known Russian Business Network IP TCP (233) (emerging-rbn.rules) 2406465 - ET RBN Known Russian Business Network IP UDP (233) (emerging-rbn.rules) 2406466 - ET RBN Known Russian Business Network IP TCP (234) (emerging-rbn.rules) 2406467 - ET RBN Known Russian Business Network IP UDP (234) (emerging-rbn.rules) 2406468 - ET RBN Known Russian Business Network IP TCP (235) (emerging-rbn.rules) 2406469 - ET RBN Known Russian Business Network IP UDP (235) (emerging-rbn.rules) 2406470 - ET RBN Known Russian Business Network IP TCP (236) (emerging-rbn.rules) 2406471 - ET RBN Known Russian Business Network IP UDP (236) (emerging-rbn.rules) 2406472 - ET RBN Known Russian Business Network IP TCP (237) (emerging-rbn.rules) 2406473 - ET RBN Known Russian Business Network IP UDP (237) (emerging-rbn.rules) 2406474 - ET RBN Known Russian Business Network IP TCP (238) (emerging-rbn.rules) 2406475 - ET RBN Known Russian Business Network IP UDP (238) (emerging-rbn.rules) 2406476 - ET RBN Known Russian Business Network IP TCP (239) (emerging-rbn.rules) 2406477 - ET RBN Known Russian Business Network IP UDP (239) (emerging-rbn.rules) 2406478 - ET RBN Known Russian Business Network IP TCP (240) (emerging-rbn.rules) 2406479 - ET RBN Known Russian Business Network IP UDP (240) (emerging-rbn.rules) 2406480 - ET RBN Known Russian Business Network IP TCP (241) (emerging-rbn.rules) 2406481 - ET RBN Known Russian Business Network IP UDP (241) (emerging-rbn.rules) 2406482 - ET RBN Known Russian Business Network IP TCP (242) (emerging-rbn.rules) 2406483 - ET RBN Known Russian Business Network IP UDP (242) (emerging-rbn.rules) 2406484 - ET RBN Known Russian Business Network IP TCP (243) (emerging-rbn.rules) 2406485 - ET RBN Known Russian Business Network IP UDP (243) (emerging-rbn.rules) 2406486 - ET RBN Known Russian Business Network IP TCP (244) (emerging-rbn.rules) 2406487 - ET RBN Known Russian Business Network IP UDP (244) (emerging-rbn.rules) 2406488 - ET RBN Known Russian Business Network IP TCP (245) (emerging-rbn.rules) 2406489 - ET RBN Known Russian Business Network IP UDP (245) (emerging-rbn.rules) 2406490 - ET RBN Known Russian Business Network IP TCP (246) (emerging-rbn.rules) 2406491 - ET RBN Known Russian Business Network IP UDP (246) (emerging-rbn.rules) 2406492 - ET RBN Known Russian Business Network IP TCP (247) (emerging-rbn.rules) 2406493 - ET RBN Known Russian Business Network IP UDP (247) (emerging-rbn.rules) 2406494 - ET RBN Known Russian Business Network IP TCP (248) (emerging-rbn.rules) 2406495 - ET RBN Known Russian Business Network IP UDP (248) (emerging-rbn.rules) 2406496 - ET RBN Known Russian Business Network IP TCP (249) (emerging-rbn.rules) 2406497 - ET RBN Known Russian Business Network IP UDP (249) (emerging-rbn.rules) 2406498 - ET RBN Known Russian Business Network IP TCP (250) (emerging-rbn.rules) 2406499 - ET RBN Known Russian Business Network IP UDP (250) (emerging-rbn.rules) 2406500 - ET RBN Known Russian Business Network IP TCP (251) (emerging-rbn.rules) 2406501 - ET RBN Known Russian Business Network IP UDP (251) (emerging-rbn.rules) 2406502 - ET RBN Known Russian Business Network IP TCP (252) (emerging-rbn.rules) 2406503 - ET RBN Known Russian Business Network IP UDP (252) (emerging-rbn.rules) 2406504 - ET RBN Known Russian Business Network IP TCP (253) (emerging-rbn.rules) 2406505 - ET RBN Known Russian Business Network IP UDP (253) (emerging-rbn.rules) 2406506 - ET RBN Known Russian Business Network IP TCP (254) (emerging-rbn.rules) 2406507 - ET RBN Known Russian Business Network IP UDP (254) (emerging-rbn.rules) 2406508 - ET RBN Known Russian Business Network IP TCP (255) (emerging-rbn.rules) 2406509 - ET RBN Known Russian Business Network IP UDP (255) (emerging-rbn.rules) 2406510 - ET RBN Known Russian Business Network IP TCP (256) (emerging-rbn.rules) 2406511 - ET RBN Known Russian Business Network IP UDP (256) (emerging-rbn.rules) 2406512 - ET RBN Known Russian Business Network IP TCP (257) (emerging-rbn.rules) 2406513 - ET RBN Known Russian Business Network IP UDP (257) (emerging-rbn.rules) 2406514 - ET RBN Known Russian Business Network IP TCP (258) (emerging-rbn.rules) 2406515 - ET RBN Known Russian Business Network IP UDP (258) (emerging-rbn.rules) 2406516 - ET RBN Known Russian Business Network IP TCP (259) (emerging-rbn.rules) 2406517 - ET RBN Known Russian Business Network IP UDP (259) (emerging-rbn.rules) 2406518 - ET RBN Known Russian Business Network IP TCP (260) (emerging-rbn.rules) 2406519 - ET RBN Known Russian Business Network IP UDP (260) (emerging-rbn.rules) 2406520 - ET RBN Known Russian Business Network IP TCP (261) (emerging-rbn.rules) 2406521 - ET RBN Known Russian Business Network IP UDP (261) (emerging-rbn.rules) 2406522 - ET RBN Known Russian Business Network IP TCP (262) (emerging-rbn.rules) 2406523 - ET RBN Known Russian Business Network IP UDP (262) (emerging-rbn.rules) 2406524 - ET RBN Known Russian Business Network IP TCP (263) (emerging-rbn.rules) 2406525 - ET RBN Known Russian Business Network IP UDP (263) (emerging-rbn.rules) 2406526 - ET RBN Known Russian Business Network IP TCP (264) (emerging-rbn.rules) 2406527 - ET RBN Known Russian Business Network IP UDP (264) (emerging-rbn.rules) 2406528 - ET RBN Known Russian Business Network IP TCP (265) (emerging-rbn.rules) 2406529 - ET RBN Known Russian Business Network IP UDP (265) (emerging-rbn.rules) 2406530 - ET RBN Known Russian Business Network IP TCP (266) (emerging-rbn.rules) 2406531 - ET RBN Known Russian Business Network IP UDP (266) (emerging-rbn.rules) 2406532 - ET RBN Known Russian Business Network IP TCP (267) (emerging-rbn.rules) 2406533 - ET RBN Known Russian Business Network IP UDP (267) (emerging-rbn.rules) 2406534 - ET RBN Known Russian Business Network IP TCP (268) (emerging-rbn.rules) 2406535 - ET RBN Known Russian Business Network IP UDP (268) (emerging-rbn.rules) 2406536 - ET RBN Known Russian Business Network IP TCP (269) (emerging-rbn.rules) 2406537 - ET RBN Known Russian Business Network IP UDP (269) (emerging-rbn.rules) 2406538 - ET RBN Known Russian Business Network IP TCP (270) (emerging-rbn.rules) 2406539 - ET RBN Known Russian Business Network IP UDP (270) (emerging-rbn.rules) 2406540 - ET RBN Known Russian Business Network IP TCP (271) (emerging-rbn.rules) 2406541 - ET RBN Known Russian Business Network IP UDP (271) (emerging-rbn.rules) 2406542 - ET RBN Known Russian Business Network IP TCP (272) (emerging-rbn.rules) 2406543 - ET RBN Known Russian Business Network IP UDP (272) (emerging-rbn.rules) 2406544 - ET RBN Known Russian Business Network IP TCP (273) (emerging-rbn.rules) 2406545 - ET RBN Known Russian Business Network IP UDP (273) (emerging-rbn.rules) 2406546 - ET RBN Known Russian Business Network IP TCP (274) (emerging-rbn.rules) 2406547 - ET RBN Known Russian Business Network IP UDP (274) (emerging-rbn.rules) 2406548 - ET RBN Known Russian Business Network IP TCP (275) (emerging-rbn.rules) 2406549 - ET RBN Known Russian Business Network IP UDP (275) (emerging-rbn.rules) 2406550 - ET RBN Known Russian Business Network IP TCP (276) (emerging-rbn.rules) 2406551 - ET RBN Known Russian Business Network IP UDP (276) (emerging-rbn.rules) 2406552 - ET RBN Known Russian Business Network IP TCP (277) (emerging-rbn.rules) 2406553 - ET RBN Known Russian Business Network IP UDP (277) (emerging-rbn.rules) 2406554 - ET RBN Known Russian Business Network IP TCP (278) (emerging-rbn.rules) 2406555 - ET RBN Known Russian Business Network IP UDP (278) (emerging-rbn.rules) 2406556 - ET RBN Known Russian Business Network IP TCP (279) (emerging-rbn.rules) 2406557 - ET RBN Known Russian Business Network IP UDP (279) (emerging-rbn.rules) 2406558 - ET RBN Known Russian Business Network IP TCP (280) (emerging-rbn.rules) 2406559 - ET RBN Known Russian Business Network IP UDP (280) (emerging-rbn.rules) 2406560 - ET RBN Known Russian Business Network IP TCP (281) (emerging-rbn.rules) 2406561 - ET RBN Known Russian Business Network IP UDP (281) (emerging-rbn.rules) 2406562 - ET RBN Known Russian Business Network IP TCP (282) (emerging-rbn.rules) 2406563 - ET RBN Known Russian Business Network IP UDP (282) (emerging-rbn.rules) 2406564 - ET RBN Known Russian Business Network IP TCP (283) (emerging-rbn.rules) 2406565 - ET RBN Known Russian Business Network IP UDP (283) (emerging-rbn.rules) 2406566 - ET RBN Known Russian Business Network IP TCP (284) (emerging-rbn.rules) 2406567 - ET RBN Known Russian Business Network IP UDP (284) (emerging-rbn.rules) 2406568 - ET RBN Known Russian Business Network IP TCP (285) (emerging-rbn.rules) 2406569 - ET RBN Known Russian Business Network IP UDP (285) (emerging-rbn.rules) 2406570 - ET RBN Known Russian Business Network IP TCP (286) (emerging-rbn.rules) 2406571 - ET RBN Known Russian Business Network IP UDP (286) (emerging-rbn.rules) 2406572 - ET RBN Known Russian Business Network IP TCP (287) (emerging-rbn.rules) 2406573 - ET RBN Known Russian Business Network IP UDP (287) (emerging-rbn.rules) 2406574 - ET RBN Known Russian Business Network IP TCP (288) (emerging-rbn.rules) 2406575 - ET RBN Known Russian Business Network IP UDP (288) (emerging-rbn.rules) 2406576 - ET RBN Known Russian Business Network IP TCP (289) (emerging-rbn.rules) 2406577 - ET RBN Known Russian Business Network IP UDP (289) (emerging-rbn.rules) 2406578 - ET RBN Known Russian Business Network IP TCP (290) (emerging-rbn.rules) 2406579 - ET RBN Known Russian Business Network IP UDP (290) (emerging-rbn.rules) 2406580 - ET RBN Known Russian Business Network IP TCP (291) (emerging-rbn.rules) 2406581 - ET RBN Known Russian Business Network IP UDP (291) (emerging-rbn.rules) 2406582 - ET RBN Known Russian Business Network IP TCP (292) (emerging-rbn.rules) 2406583 - ET RBN Known Russian Business Network IP UDP (292) (emerging-rbn.rules) 2406584 - ET RBN Known Russian Business Network IP TCP (293) (emerging-rbn.rules) 2406585 - ET RBN Known Russian Business Network IP UDP (293) (emerging-rbn.rules) 2406586 - ET RBN Known Russian Business Network IP TCP (294) (emerging-rbn.rules) 2406587 - ET RBN Known Russian Business Network IP UDP (294) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network IP TCP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network IP UDP - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network IP TCP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network IP UDP - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network IP TCP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network IP UDP - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network IP TCP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network IP UDP - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network IP TCP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network IP UDP - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network IP TCP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network IP UDP - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network IP TCP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network IP UDP - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network IP TCP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network IP UDP - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network IP TCP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network IP UDP - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network IP TCP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network IP UDP - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network IP TCP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network IP UDP - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network IP TCP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network IP UDP - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network IP TCP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network IP UDP - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network IP TCP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network IP UDP - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network IP TCP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network IP UDP - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network IP TCP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network IP UDP - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network IP TCP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network IP UDP - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network IP TCP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network IP UDP - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network IP TCP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network IP UDP - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network IP TCP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network IP UDP - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network IP TCP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network IP UDP - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network IP TCP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network IP UDP - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network IP TCP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network IP UDP - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network IP TCP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network IP UDP - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network IP TCP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network IP UDP - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network IP TCP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network IP UDP - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network IP TCP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network IP UDP - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network IP TCP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network IP UDP - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network IP TCP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network IP UDP - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network IP TCP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network IP UDP - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network IP TCP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network IP UDP - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network IP TCP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network IP UDP - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network IP TCP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network IP UDP - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network IP TCP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network IP UDP - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network IP TCP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network IP UDP - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network IP TCP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network IP UDP - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network IP TCP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network IP UDP - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network IP TCP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network IP UDP - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network IP TCP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network IP UDP - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network IP TCP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network IP UDP - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network IP TCP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network IP UDP - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network IP TCP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network IP UDP - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network IP TCP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network IP UDP - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network IP TCP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network IP UDP - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network IP TCP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network IP UDP - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network IP TCP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network IP UDP - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network IP TCP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network IP UDP - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network IP TCP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network IP UDP - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network IP TCP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network IP UDP - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network IP TCP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network IP UDP - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network IP TCP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network IP UDP - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network IP TCP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network IP UDP - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network IP TCP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network IP UDP - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network IP TCP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network IP UDP - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network IP TCP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network IP UDP - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network IP TCP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network IP UDP - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network IP TCP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network IP UDP - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network IP TCP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network IP UDP - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network IP TCP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network IP UDP - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network IP TCP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network IP UDP - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network IP TCP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network IP UDP - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network IP TCP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network IP UDP - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network IP TCP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network IP UDP - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network IP TCP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network IP UDP - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network IP TCP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network IP UDP - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network IP TCP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network IP UDP - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network IP TCP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network IP UDP - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network IP TCP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network IP UDP - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network IP TCP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network IP UDP - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network IP TCP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network IP UDP - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network IP TCP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network IP UDP - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network IP TCP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network IP UDP - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network IP TCP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network IP UDP - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network IP TCP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network IP UDP - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network IP TCP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network IP UDP - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network IP TCP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network IP UDP - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network IP TCP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network IP UDP - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network IP TCP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network IP UDP - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network IP TCP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network IP UDP - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network IP TCP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network IP UDP - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network IP TCP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network IP UDP - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network IP TCP - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network IP UDP - BLOCKING (82) (emerging-rbn-BLOCK.