[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 10/5/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 5 10:35:21 EDT 2011


I agree! We're pushing on it, it'll go out in some form today.

The holdup was on all engines though, but I think the fix is imminent!

Matt

On Oct 5, 2011, at 10:22 AM, Martin Holste wrote:

> Ok, well the infected hosts this sig finds keep rolling in, so I am
> making a plea to get this out to at least Suricata/Snort 2.9.1 today
> if you don't find a pan-Snort solution.
> 
> On Wed, Oct 5, 2011 at 9:08 AM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> I tried, but we busted it. :)
>> 
>> Pedro is working out a way to fix, and to do it on multiple palatforms…. It'll be out today assuming we solve the issue!
>> 
>> Good news is we have about 30 other similar samples in sandnetting, so we have a good base of data to work from.
>> 
>> Matt
>> 
>> 
>> On Oct 5, 2011, at 9:33 AM, Martin Holste wrote:
>> 
>>> I thought you were posting my UDP rule, but I don't see it in here.
>>> 
>>> On Wed, Oct 5, 2011 at 12:17 AM, Matthew Jonkman
>>> <jonkman at emergingthreatspro.com> wrote:
>>>> 35 new rules total. 13 in the Open ruleset and 20 in Pro.
>>>> 
>>>> Enjoy!
>>>> 
>>>> We have new SCADA,  Loads of good stuff today. [+++]          Added rules:          [+++]
>>>> 
>>>>  2013730 - ET SCADA PcVue Activex Control Insecure method (AddPage) (scada.rules)
>>>>  2013731 - ET SCADA PcVue Activex Control Insecure method (DeletePage) (scada.rules)
>>>>  2013732 - ET SCADA PcVue Activex Control Insecure method (SaveObject) (scada.rules)
>>>>  2013733 - ET SCADA PcVue Activex Control Insecure method (LoadObject) (scada.rules)
>>>>  2013734 - ET SCADA PcVue Activex Control Insecure method (GetExtendedColor) (scada.rules)
>>>>  2013735 - ET SCADA Sunway ForceControl Activex Control Vulnerability (scada.rules)
>>>>  2013736 - ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2 (scada.rules)
>>>>  2013737 - ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA) (trojan.rules)
>>>>  2013738 - ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt (web_specific_apps.rules)
>>>>  2013740 - ET CURRENT_EVENTS Zeus Variant Post to CnC Server (current_events.rules)
>>>>  2013741 - ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin (trojan.rules)
>>>>  2013742 - ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt (web_client.rules)
>>>>  2013743 - ET DNS Query for a Suspicious no-ip Dynamic DNS Domain (dns.rules)
>>>>  2013744 - ET TROJAN HTTP Request to no-ip Dynamic DNS Domain (trojan.rules)
>>>>  2013745 - ET TROJAN Double HTTP/1.1 Header Likely Hostile Traffic (trojan.rules)
>>>> 
>>>> Pro rules:
>>>> 
>>>>  2803791 - ETPRO TROJAN Win32/Plingky.A Checkin (trojan.rules)
>>>>  2803792 - ETPRO TROJAN Trojan.Generic.KDV.367757 Checkin (trojan.rules)
>>>>  2803793 - ETPRO TROJAN Virus.Win32.CrazyPrier.A Checkin (trojan.rules)
>>>>  2803794 - ETPRO TROJAN Trojan.Win32.OddJob.A Checkin 3 (trojan.rules)
>>>>  2803795 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 1 (trojan.rules)
>>>>  2803796 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 1 (trojan.rules)
>>>>  2803797 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 2 (trojan.rules)
>>>>  2803798 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 2 (trojan.rules)
>>>>  2803799 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 3 (trojan.rules)
>>>>  2803800 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 3 (trojan.rules)
>>>>  2803801 - ETPRO ACTIVEX PIPI Player PIPIWebPlayer ActiveX Control Buffer Overflow (activex.rules)
>>>>  2803802 - ETPRO POLICY PIPIWebPlayer User-Agent (PIPIPlayer) (policy.rules)
>>>>  2803803 - ETPRO POLICY PIPIWebPlayer User-Agent (jfCacheMgr) (policy.rules)
>>>>  2803804 - ETPRO POLICY Games Site lava.cn User-Agent (DDVInstall) (policy.rules)
>>>>  2803805 - ETPRO TROJAN Win32/Hermes.B at mm User-Agent (Hermes) (trojan.rules)
>>>>  2803806 - ETPRO TROJAN Variant.Buzy.4001 Checkin (trojan.rules)
>>>>  2803807 - ETPRO TROJAN Win32/Sefnit.O Checkin (trojan.rules)
>>>>  2803808 - ETPRO TROJAN Worm.Win32/Chiviper.A Checkin (trojan.rules)
>>>>  2803809 - ETPRO MALWARE Win32/Adware.GabPath.BM User-Agent (Blammi) (malware.rules)
>>>>  2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)
>>>> 
>>>> 
>>>> 
>>>> [///]     Modified active rules:     [///]
>>>> 
>>>>  2008049 - ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin (trojan.rules)
>>>>  2011996 - ET TROJAN Darkness DDoS Bot Checkin (trojan.rules)
>>>>  2013376 - ET TROJAN W32/Nolja Trojan User-Agent (FileNolja) (trojan.rules)
>>>> 
>>>>  2803364 - ETPRO TROJAN Win32/Sefnit.L Checkin (trojan.rules)
>>>> 
>>>> 
>>>> [---]         Removed rules:         [---]
>>>> 
>>>> Just renaming:
>>>>  2801670 - ETPRO TROJAN Backdoor.Win32.Dtd.A Checkin (trojan.rules)
>>>>  2803162 - ETPRO TROJAN Win32/Sefnit Checkin (trojan.rules)
>>>> 
>>>> ----------------------------------------------------
>>>> Matt Jonkman
>>>> Emerging Threats Pro
>>>> Open Information Security Foundation (OISF)
>>>> Phone 866-504-2523 x110
>>>> http://www.emergingthreatspro.com
>>>> http://www.openinfosecfoundation.org
>>>> ----------------------------------------------------
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Etpro-sigs mailing list
>>>> Etpro-sigs at emergingthreatspro.com
>>>> http://lists.emergingthreatspro.com/mailman/listinfo/etpro-sigs
>>>> 
>>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
>> 
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/41191046/smime-0001.bin


More information about the Emerging-sigs mailing list