[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 10/5/2011

Martin Holste mcholste at gmail.com
Wed Oct 5 10:22:03 EDT 2011


Ok, well the infected hosts this sig finds keep rolling in, so I am
making a plea to get this out to at least Suricata/Snort 2.9.1 today
if you don't find a pan-Snort solution.

On Wed, Oct 5, 2011 at 9:08 AM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> I tried, but we busted it. :)
>
> Pedro is working out a way to fix, and to do it on multiple palatforms…. It'll be out today assuming we solve the issue!
>
> Good news is we have about 30 other similar samples in sandnetting, so we have a good base of data to work from.
>
> Matt
>
>
> On Oct 5, 2011, at 9:33 AM, Martin Holste wrote:
>
>> I thought you were posting my UDP rule, but I don't see it in here.
>>
>> On Wed, Oct 5, 2011 at 12:17 AM, Matthew Jonkman
>> <jonkman at emergingthreatspro.com> wrote:
>>> 35 new rules total. 13 in the Open ruleset and 20 in Pro.
>>>
>>> Enjoy!
>>>
>>> We have new SCADA,  Loads of good stuff today. [+++]          Added rules:          [+++]
>>>
>>>  2013730 - ET SCADA PcVue Activex Control Insecure method (AddPage) (scada.rules)
>>>  2013731 - ET SCADA PcVue Activex Control Insecure method (DeletePage) (scada.rules)
>>>  2013732 - ET SCADA PcVue Activex Control Insecure method (SaveObject) (scada.rules)
>>>  2013733 - ET SCADA PcVue Activex Control Insecure method (LoadObject) (scada.rules)
>>>  2013734 - ET SCADA PcVue Activex Control Insecure method (GetExtendedColor) (scada.rules)
>>>  2013735 - ET SCADA Sunway ForceControl Activex Control Vulnerability (scada.rules)
>>>  2013736 - ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2 (scada.rules)
>>>  2013737 - ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA) (trojan.rules)
>>>  2013738 - ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt (web_specific_apps.rules)
>>>  2013740 - ET CURRENT_EVENTS Zeus Variant Post to CnC Server (current_events.rules)
>>>  2013741 - ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin (trojan.rules)
>>>  2013742 - ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt (web_client.rules)
>>>  2013743 - ET DNS Query for a Suspicious no-ip Dynamic DNS Domain (dns.rules)
>>>  2013744 - ET TROJAN HTTP Request to no-ip Dynamic DNS Domain (trojan.rules)
>>>  2013745 - ET TROJAN Double HTTP/1.1 Header Likely Hostile Traffic (trojan.rules)
>>>
>>> Pro rules:
>>>
>>>  2803791 - ETPRO TROJAN Win32/Plingky.A Checkin (trojan.rules)
>>>  2803792 - ETPRO TROJAN Trojan.Generic.KDV.367757 Checkin (trojan.rules)
>>>  2803793 - ETPRO TROJAN Virus.Win32.CrazyPrier.A Checkin (trojan.rules)
>>>  2803794 - ETPRO TROJAN Trojan.Win32.OddJob.A Checkin 3 (trojan.rules)
>>>  2803795 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 1 (trojan.rules)
>>>  2803796 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 1 (trojan.rules)
>>>  2803797 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 2 (trojan.rules)
>>>  2803798 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 2 (trojan.rules)
>>>  2803799 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 3 (trojan.rules)
>>>  2803800 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 3 (trojan.rules)
>>>  2803801 - ETPRO ACTIVEX PIPI Player PIPIWebPlayer ActiveX Control Buffer Overflow (activex.rules)
>>>  2803802 - ETPRO POLICY PIPIWebPlayer User-Agent (PIPIPlayer) (policy.rules)
>>>  2803803 - ETPRO POLICY PIPIWebPlayer User-Agent (jfCacheMgr) (policy.rules)
>>>  2803804 - ETPRO POLICY Games Site lava.cn User-Agent (DDVInstall) (policy.rules)
>>>  2803805 - ETPRO TROJAN Win32/Hermes.B at mm User-Agent (Hermes) (trojan.rules)
>>>  2803806 - ETPRO TROJAN Variant.Buzy.4001 Checkin (trojan.rules)
>>>  2803807 - ETPRO TROJAN Win32/Sefnit.O Checkin (trojan.rules)
>>>  2803808 - ETPRO TROJAN Worm.Win32/Chiviper.A Checkin (trojan.rules)
>>>  2803809 - ETPRO MALWARE Win32/Adware.GabPath.BM User-Agent (Blammi) (malware.rules)
>>>  2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)
>>>
>>>
>>>
>>> [///]     Modified active rules:     [///]
>>>
>>>  2008049 - ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin (trojan.rules)
>>>  2011996 - ET TROJAN Darkness DDoS Bot Checkin (trojan.rules)
>>>  2013376 - ET TROJAN W32/Nolja Trojan User-Agent (FileNolja) (trojan.rules)
>>>
>>>  2803364 - ETPRO TROJAN Win32/Sefnit.L Checkin (trojan.rules)
>>>
>>>
>>> [---]         Removed rules:         [---]
>>>
>>> Just renaming:
>>>  2801670 - ETPRO TROJAN Backdoor.Win32.Dtd.A Checkin (trojan.rules)
>>>  2803162 - ETPRO TROJAN Win32/Sefnit Checkin (trojan.rules)
>>>
>>> ----------------------------------------------------
>>> Matt Jonkman
>>> Emerging Threats Pro
>>> Open Information Security Foundation (OISF)
>>> Phone 866-504-2523 x110
>>> http://www.emergingthreatspro.com
>>> http://www.openinfosecfoundation.org
>>> ----------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> Etpro-sigs mailing list
>>> Etpro-sigs at emergingthreatspro.com
>>> http://lists.emergingthreatspro.com/mailman/listinfo/etpro-sigs
>>>
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>


More information about the Emerging-sigs mailing list