[Emerging-Sigs] Daily Ruleset Update Summary 10/24/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 14:48:08 EDT 2011


9 open sigs and 9 pro sigs. Enjoy!

[+++]          Added rules:          [+++]

 2013791 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 (scan.rules)
 2013792 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 2 (scan.rules)
 2013793 - ET TROJAN Dropper.Win32.Npkon Client Checkin (trojan.rules)
 2013794 - ET TROJAN Dropper.Win32.Npkon Server Responce (trojan.rules)
 2013795 - ET TROJAN W32/Bifrose User-Agent (chrome/9.0) (trojan.rules)
 2013796 - ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG (current_events.rules)
 2013797 - ET TROJAN Win32.PEx.Delphi.307674628 Checkin (trojan.rules)
 2013798 - ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin (trojan.rules)
 2013799 - ET TROJAN Win32.Trojan.SuspectCRC FakeAV Checkin (trojan.rules)

Moved from the GPL space and minor tweaks:
 2100975 - GPL EXPLOIT Alternate Data streams ASP file access attempt (exploit.rules)

Pro subscriber sigs:
 2803907 - ETPRO MOBILE_MALWARE LeNa Android Malware Checkin (mobile_malware.rules)
 2803908 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (StartDown) (mobile_malware.rules)
 2803909 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (DownOk) (mobile_malware.rules)
 2803910 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (INSTOK) (mobile_malware.rules)
 2803911 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (RUNOK) (mobile_malware.rules)
 2803912 - ETPRO POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC (policy.rules)
 2803913 - ETPRO TROJAN Buzus/Graftor Checkin (trojan.rules)
 2803914 - ETPRO TROJAN Win32/Cycbot.G Checkin (trojan.rules)
 2803915 - ETPRO MALWARE Win32/Adware.OpenInstall Install (malware.rules)


[///]     Modified active rules:     [///]


Perf and Accuracy tweaks:
 2010157 - ET USER_AGENTS TROJAN Nanspy User-Agent (XXX) (user_agents.rules)
 2010975 - ET TROJAN Unruy Downloader Checkin (trojan.rules)
 2011469 - ET CURRENT_EVENTS MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit (current_events.rules)

Added .27 as vulnerable:
 2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)

Accuracy tweaks:
 2801632 - ETPRO SMTP Multiple Products STARTTLS Plaintext Command Injection (smtp.rules)
 2802962 - ETPRO TROJAN Win32.Qvod Checkin 2 (trojan.rules)


[///]    Modified inactive rules:    [///]

Added negate for UDP...
 2101620 - GPL POLICY TRAFFIC Non-Standard IP protocol (policy.rules)


[---]         Removed rules:         [---]

Moved to the new Sid space:
     975 - GPL EXPLOIT Alternate Data streams ASP file access attempt (exploit.rules)



----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list