[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 10/5/2011

Kevin Ross kevross33 at googlemail.com
Wed Oct 5 10:52:40 EDT 2011


byte_extract is 2.9.X snorts only so if it goes to other snort versions
another method of matching it accurately needs to be found if it can be
done.


On 5 October 2011 15:35, Matthew Jonkman <jonkman at emergingthreatspro.com>wrote:

> I agree! We're pushing on it, it'll go out in some form today.
>
> The holdup was on all engines though, but I think the fix is imminent!
>
> Matt
>
> On Oct 5, 2011, at 10:22 AM, Martin Holste wrote:
>
> > Ok, well the infected hosts this sig finds keep rolling in, so I am
> > making a plea to get this out to at least Suricata/Snort 2.9.1 today
> > if you don't find a pan-Snort solution.
> >
> > On Wed, Oct 5, 2011 at 9:08 AM, Matthew Jonkman
> > <jonkman at emergingthreatspro.com> wrote:
> >> I tried, but we busted it. :)
> >>
> >> Pedro is working out a way to fix, and to do it on multiple palatforms….
> It'll be out today assuming we solve the issue!
> >>
> >> Good news is we have about 30 other similar samples in sandnetting, so
> we have a good base of data to work from.
> >>
> >> Matt
> >>
> >>
> >> On Oct 5, 2011, at 9:33 AM, Martin Holste wrote:
> >>
> >>> I thought you were posting my UDP rule, but I don't see it in here.
> >>>
> >>> On Wed, Oct 5, 2011 at 12:17 AM, Matthew Jonkman
> >>> <jonkman at emergingthreatspro.com> wrote:
> >>>> 35 new rules total. 13 in the Open ruleset and 20 in Pro.
> >>>>
> >>>> Enjoy!
> >>>>
> >>>> We have new SCADA,  Loads of good stuff today. [+++]          Added
> rules:          [+++]
> >>>>
> >>>>  2013730 - ET SCADA PcVue Activex Control Insecure method (AddPage)
> (scada.rules)
> >>>>  2013731 - ET SCADA PcVue Activex Control Insecure method (DeletePage)
> (scada.rules)
> >>>>  2013732 - ET SCADA PcVue Activex Control Insecure method (SaveObject)
> (scada.rules)
> >>>>  2013733 - ET SCADA PcVue Activex Control Insecure method (LoadObject)
> (scada.rules)
> >>>>  2013734 - ET SCADA PcVue Activex Control Insecure method
> (GetExtendedColor) (scada.rules)
> >>>>  2013735 - ET SCADA Sunway ForceControl Activex Control Vulnerability
> (scada.rules)
> >>>>  2013736 - ET SCADA Sunway ForceControl Activex Control Remote Code
> Execution Vulnerability 2 (scada.rules)
> >>>>  2013737 - ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA)
> (trojan.rules)
> >>>>  2013738 - ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter
> Local File Inclusion Attempt (web_specific_apps.rules)
> >>>>  2013740 - ET CURRENT_EVENTS Zeus Variant Post to CnC Server
> (current_events.rules)
> >>>>  2013741 - ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi
> Bios Rootkit CnC Count Checkin (trojan.rules)
> >>>>  2013742 - ET WEB_CLIENT Google Chrome Multiple Iframe PDF File
> Handling Memory Corruption Attempt (web_client.rules)
> >>>>  2013743 - ET DNS Query for a Suspicious no-ip Dynamic DNS Domain
> (dns.rules)
> >>>>  2013744 - ET TROJAN HTTP Request to no-ip Dynamic DNS Domain
> (trojan.rules)
> >>>>  2013745 - ET TROJAN Double HTTP/1.1 Header Likely Hostile Traffic
> (trojan.rules)
> >>>>
> >>>> Pro rules:
> >>>>
> >>>>  2803791 - ETPRO TROJAN Win32/Plingky.A Checkin (trojan.rules)
> >>>>  2803792 - ETPRO TROJAN Trojan.Generic.KDV.367757 Checkin
> (trojan.rules)
> >>>>  2803793 - ETPRO TROJAN Virus.Win32.CrazyPrier.A Checkin
> (trojan.rules)
> >>>>  2803794 - ETPRO TROJAN Trojan.Win32.OddJob.A Checkin 3 (trojan.rules)
> >>>>  2803795 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 1
> (trojan.rules)
> >>>>  2803796 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 1
> (trojan.rules)
> >>>>  2803797 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 2
> (trojan.rules)
> >>>>  2803798 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 2
> (trojan.rules)
> >>>>  2803799 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 3
> (trojan.rules)
> >>>>  2803800 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 3
> (trojan.rules)
> >>>>  2803801 - ETPRO ACTIVEX PIPI Player PIPIWebPlayer ActiveX Control
> Buffer Overflow (activex.rules)
> >>>>  2803802 - ETPRO POLICY PIPIWebPlayer User-Agent (PIPIPlayer)
> (policy.rules)
> >>>>  2803803 - ETPRO POLICY PIPIWebPlayer User-Agent (jfCacheMgr)
> (policy.rules)
> >>>>  2803804 - ETPRO POLICY Games Site lava.cn User-Agent (DDVInstall)
> (policy.rules)
> >>>>  2803805 - ETPRO TROJAN Win32/Hermes.B at mm User-Agent (Hermes)
> (trojan.rules)
> >>>>  2803806 - ETPRO TROJAN Variant.Buzy.4001 Checkin (trojan.rules)
> >>>>  2803807 - ETPRO TROJAN Win32/Sefnit.O Checkin (trojan.rules)
> >>>>  2803808 - ETPRO TROJAN Worm.Win32/Chiviper.A Checkin (trojan.rules)
> >>>>  2803809 - ETPRO MALWARE Win32/Adware.GabPath.BM User-Agent (Blammi)
> (malware.rules)
> >>>>  2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)
> >>>>
> >>>>
> >>>>
> >>>> [///]     Modified active rules:     [///]
> >>>>
> >>>>  2008049 - ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin
> (trojan.rules)
> >>>>  2011996 - ET TROJAN Darkness DDoS Bot Checkin (trojan.rules)
> >>>>  2013376 - ET TROJAN W32/Nolja Trojan User-Agent (FileNolja)
> (trojan.rules)
> >>>>
> >>>>  2803364 - ETPRO TROJAN Win32/Sefnit.L Checkin (trojan.rules)
> >>>>
> >>>>
> >>>> [---]         Removed rules:         [---]
> >>>>
> >>>> Just renaming:
> >>>>  2801670 - ETPRO TROJAN Backdoor.Win32.Dtd.A Checkin (trojan.rules)
> >>>>  2803162 - ETPRO TROJAN Win32/Sefnit Checkin (trojan.rules)
> >>>>
> >>>> ----------------------------------------------------
> >>>> Matt Jonkman
> >>>> Emerging Threats Pro
> >>>> Open Information Security Foundation (OISF)
> >>>> Phone 866-504-2523 x110
> >>>> http://www.emergingthreatspro.com
> >>>> http://www.openinfosecfoundation.org
> >>>> ----------------------------------------------------
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Etpro-sigs mailing list
> >>>> Etpro-sigs at emergingthreatspro.com
> >>>> http://lists.emergingthreatspro.com/mailman/listinfo/etpro-sigs
> >>>>
> >>>>
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >>
> >>
> >> ----------------------------------------------------
> >> Matt Jonkman
> >> Emerging Threats Pro
> >> Open Information Security Foundation (OISF)
> >> Phone 866-504-2523 x110
> >> http://www.emergingthreatspro.com
> >> http://www.openinfosecfoundation.org
> >> ----------------------------------------------------
> >>
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/4053a3ac/attachment.html


More information about the Emerging-sigs mailing list