[Emerging-Sigs] Daily Ruleset Update Summary 09/26/2014

rmkml rmkml at yahoo.fr
Sat Sep 27 15:11:50 EDT 2014


Thx Community and @EmergingTeam for sharing,

Could you check typo (Possbile) on this sig please ?

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackEnergy Possbile SSL Cert Sept 26 2014"; flow:established,from_server; 
content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; 
content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; 
sid:2019282; rev:1;)

Discovered on http://etplc.org project update.

Regards
@Rmkml



On Fri, 26 Sep 2014, Francis Trudeau wrote:

> [***] Summary: [***]
>
> 18 new Open signatures, 29 new Pro.  More CVE-2014-6271, Dyre,
> Various Android, Nucom ADSL Cred disclosure, ZyXEL Cred disclosure.
>
> Thanks:  Livio Ricciulli,Packet Hack, @kafeine, @jaimeblascob, @abuse_ch.
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2019242 - ET TROJAN Linux/DDoS.M distributed via CVE-2014-6271
> Checkin (trojan.rules)
>  2019274 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
> (current_events.rules)
>  2019275 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
> (current_events.rules)
>  2019276 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
> (current_events.rules)
>  2019277 - ET CURRENT_EVENTS Possible Upatre SSL Cert santa.my
> (current_events.rules)
>  2019278 - ET CURRENT_EVENTS Possible Upatre SSL Cert glynwedasia.com
> (current_events.rules)
>  2019279 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (TorrentLocker CnC) (trojan.rules)
>  2019280 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (TorrentLocker CnC) (trojan.rules)
>  2019281 - ET TROJAN BlackEnergy v2 POST Request (trojan.rules)
>  2019282 - ET CURRENT_EVENTS BlackEnergy Possbile SSL Cert Sept 26
> 2014 (current_events.rules)
>  2019283 - ET TROJAN BlackEnergy POST Request (trojan.rules)
>  2019284 - ET ATTACK_RESPONSE Output of id command from HTTP server
> (attack_response.rules)
>  2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
> to WebServer (web_server.rules)
>  2019286 - ET TROJAN Job314 EK Payload Checkin (trojan.rules)
>  2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing (current_events.rules)
>  2019288 - ET CURRENT_EVENTS DRIVEBY Possible Job314 EK JAR URI
> Struct (current_events.rules)
>  2019289 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
> Proxy (exploit.rules)
>  2019290 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
> Proxy (exploit.rules)
>
>  Pro:
>
>  2808896 - ETPRO EXPLOIT All In One WP Security WordPress Plugin
> Possible SQL Injection Attempt (exploit.rules)
>  2808897 - ETPRO MOBILE_MALWARE AndroidOS.Ifacefone.A Checkin
> (mobile_malware.rules)
>  2808898 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.v Checkin
> (mobile_malware.rules)
>  2808899 - ETPRO TROJAN Win32/Spy.Zbot.ACB SSL Cert (trojan.rules)
>  2808900 - ETPRO TROJAN Likely Trojan-Ransom.Win32.Foreign.lefc
> .onion Proxy DNS lookup (trojan.rules)
>  2808901 - ETPRO POLICY Likely icanhazip.com IP lookup over SSL (policy.rules)
>  2808902 - ETPRO TROJAN Win32/Rustock.G Checkin (trojan.rules)
>  2808903 - ETPRO EXPLOIT Nucom ADSL ADSLR5000UN ISP Credential
> Disclosure Attempt (exploit.rules)
>  2808904 - ETPRO EXPLOIT ZyXEL Prestig P-660HNU-T1v2 Credential
> Disclosure Attempt (exploit.rules)
>  2808905 - ETPRO TROJAN Win32/Xorer.O Checkin (trojan.rules)
>  2808906 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Maxit.a Checkin
> (mobile_malware.rules)
>
>
> [+++]  Enabled and modified rules:   [+++]
>
>  2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 1 (web_server.rules)
>  2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 2 (web_server.rules)
>  2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 3 (web_server.rules)
>  2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 4 (web_server.rules)
>  2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 5 (web_server.rules)
>  2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 6 (web_server.rules)
>  2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 7 (web_server.rules)
>  2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 8 (web_server.rules)
>  2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 9 (web_server.rules)
>  2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 10 (web_server.rules)
>  2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 11 (web_server.rules)
>  2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 12 (web_server.rules)
>  2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 13 (web_server.rules)
>  2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 14 (web_server.rules)
>  2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 15 (web_server.rules)
>  2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 16 (web_server.rules)
>  2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 17 (web_server.rules)
>  2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 18 (web_server.rules)
>  2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 19 (web_server.rules)
>  2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 20 (web_server.rules)
>  2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 21 (web_server.rules)
>  2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 22 (web_server.rules)
>  2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 23 (web_server.rules)
>  2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 24 (web_server.rules)
>  2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 25 (web_server.rules)
>  2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 26 (web_server.rules)
>  2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 27 (web_server.rules)
>  2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 28 (web_server.rules)
>  2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 29 (web_server.rules)
>  2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
> URLENCODE Generic 30 (web_server.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2019181 - ET CURRENT_EVENTS Possible Android CVE-2014-6041
> (current_events.rules)
>  2019243 - ET TROJAN Infostealer.Boleteiro checking stolen boleto
> payment information (trojan.rules)
>  2805260 - ETPRO TROJAN Trojan.Win32.Jorik.Yoddos.no Checkin (trojan.rules)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
>


More information about the Emerging-sigs mailing list