[Emerging-Sigs] Daily Ruleset Update Summary 10/12/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 12 19:04:53 EDT 2011


We have a very unusual update today, we're moving toward the ability to publish all of our rulesets on all platforms in two versions. Those versions will be the current classification scheme, and the new much more granular classification scheme. So to that end we've changed a lot on the backend, and the result is today's ruleset change being large. 

A large number of rules have a change in order. Previously classtype was before references, before sid, different places. But now they are all in a consistent place. So the rules that changes only the order of classtype vs references have not up'd rev (as there's no material change). So depending on your rule manager, you may have notes that many have changed, but only those noted below have any material changes.

So, we have patch tuesday coverage (delayed unfortunately because of the scale of these changes, our apologies). 

26 new Open signatures, 29 new Pro signatures, for 55 total. And a small group of GPL sigs moved up to the new sid range.

[+++]          Added rules:          [+++]

 2013740 - ET TROJAN Zeus/Aeausuc P2P Variant Retrieving Peers List (trojan.rules)
 2013746 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3 (current_events.rules)
 2013747 - ET TROJAN Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot) (trojan.rules)
 2013748 - ET TROJAN Backdoor.Win32.Aldibot.A Checkin (trojan.rules)
 2013749 - ET POLICY VMware User-Agent Outbound (policy.rules)
 2013750 - ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt (activex.rules)
 2013751 - ET TROJAN Possible German Governmental Backdoor/R2D2.A 1 (trojan.rules)
 2013752 - ET TROJAN Possible German Governmental Backdoor/R2D2.A 2 (trojan.rules)
 2013753 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2 (trojan.rules)
 2013754 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2 (trojan.rules)
 2013755 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1 (trojan.rules)
 2013756 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1 (trojan.rules)
 2013757 - ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1 (web_specific_apps.rules)
 2013758 - ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt (web_specific_apps.rules)
 2013759 - ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2013760 - ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2013761 - ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2013762 - ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2013763 - ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2013764 - ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2013765 - ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2 (web_specific_apps.rules)
 2013766 - ET TROJAN Win32.Swisyn Reporting (trojan.rules)
 2013767 - ET TROJAN W32/Einstein CnC Checkin (trojan.rules)
 2013768 - ET TROJAN Win32.Dropper.Wlock Checkin (trojan.rules)
 2013769 - ET TROJAN Backdoor.Win32.Prosti Checkin (trojan.rules)
 2013770 - ET CURRENT_EVENTS USPS Spam/Trojan Executable Download (current_events.rules)

GPL sigs moved to their new range:
 2101311 - GPL INAPPROPRIATE hardcore anal (inappropriate.rules)
 2101313 - GPL INAPPROPRIATE up skirt (inappropriate.rules)
 2101315 - GPL INAPPROPRIATE hot young sex (inappropriate.rules)
 2101316 - GPL INAPPROPRIATE fuck fuck fuck (inappropriate.rules)
 2101317 - GPL INAPPROPRIATE anal sex (inappropriate.rules)
 2101318 - GPL INAPPROPRIATE hardcore rape (inappropriate.rules)
 2101320 - GPL INAPPROPRIATE fuck movies (inappropriate.rules)
 2101837 - GPL INAPPROPRIATE alt.binaries.pictures.tinygirls (inappropriate.rules)


And the Pro rules:
 2102403 - GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt (netbios.rules)
 2102404 - GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt (netbios.rules)
 2803830 - ETPRO TROJAN Win32/Comisproc Checkin (trojan.rules)
 2803831 - ETPRO MALWARE Adware.Win32/Clickspring.C Checkin (malware.rules)
 2803832 - ETPRO MALWARE Win32/Adware.GabPath.CB User-Agent (FPInstaller) (malware.rules)
 2803833 - ETPRO TROJAN TrojanDownloader.Win32/Small.XR Checkin (trojan.rules)
 2803834 - ETPRO TROJAN Win32/Isnup.B Checkin (trojan.rules)
 2803835 - ETPRO TROJAN Generic.Banker.OT.89A60848 Checkin (trojan.rules)
 2803836 - ETPRO TROJAN Win32.Cycbot-MM Checkin (trojan.rules)
 2803837 - ETPRO TROJAN Win32.Cycbot-MM Checkin 2 (trojan.rules)
 2803838 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.bmvw Checkin (trojan.rules)
 2803839 - ETPRO MALWARE Adware.Win32/Gabpath User-Agent (BMRecover) (malware.rules)
 2803840 - ETPRO WEB_CLIENT Microsoft Active Accessibility oleacc.dll Insecure Library Loading Code Execution - WebDAV (web_client.rules)
 2803841 - ETPRO NETBIOS Microsoft Active Accessibility oleacc.dll Insecure Library Loading Code Execution - SMB ASCII (netbios.rules)
 2803842 - ETPRO NETBIOS Microsoft Active Accessibility oleacc.dll Insecure Library Loading Code Execution - SMB Unicode (netbios.rules)
 2803843 - ETPRO NETBIOS Microsoft Active Accessibility oleacc.dll Insecure Library Loading Code Execution - SMB-DS ASCII (netbios.rules)
 2803844 - ETPRO NETBIOS Microsoft Active Accessibility oleacc.dll Insecure Library Loading Code Execution - SMB-DS Unicode (netbios.rules)
 2803845 - ETPRO DOS Microsoft Forefront Unified Access Gateway DoS Attempt 1 (dos.rules)
 2803846 - ETPRO DOS Microsoft Forefront Unified Access Gateway DoS Attempt 2 (dos.rules)
 2803847 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt (web_server.rules)
 2803848 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt 2 (web_server.rules)
 2803849 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt 3 (web_server.rules)
 2803850 - ETPRO ACTIVEX Microsoft Internet Explorer htmlfile ActiveX control instantiation (activex.rules)
 2803851 - ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element (web_client.rules)
 2803852 - ETPRO WEB_CLIENT Microsoft Internet Explorer use-after-free memory corruption (web_client.rules)
 2803853 - ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element 2 (web_client.rules)
 2803854 - ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via marquee element (web_client.rules)
 2803855 - ETPRO TROJAN Backdoor/Win32.Papras Checkin 2 (trojan.rules)
 2803856 - ETPRO TROJAN Trojan.Downloader.JOQI Checkin (trojan.rules)
 2803857 - ETPRO TROJAN Trojan.Win32.BHO.bn Checkin (trojan.rules)
 2803858 - ETPRO TROJAN Backdoor.Win32/Sodager.C Checkin (trojan.rules)

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111012/a58b3674/smime.bin


More information about the Emerging-sigs mailing list