[Emerging-Sigs] Daily Ruleset Update Summary 09/26/2014

Darien Huss dhuss at emergingthreats.net
Sat Sep 27 15:15:53 EDT 2014


Thanks Rmkml, we'll get that fixed on Monday.

Regards,
Darien
On Sep 27, 2014 3:14 PM, "rmkml" <rmkml at yahoo.fr> wrote:

> Thx Community and @EmergingTeam for sharing,
>
> Could you check typo (Possbile) on this sig please ?
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> BlackEnergy Possbile SSL Cert Sept 26 2014"; flow:established,from_server;
> content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb
> 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0;
> content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,
> 1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282;
> rev:1;)
>
> Discovered on http://etplc.org project update.
>
> Regards
> @Rmkml
>
>
>
> On Fri, 26 Sep 2014, Francis Trudeau wrote:
>
>  [***] Summary: [***]
>>
>> 18 new Open signatures, 29 new Pro.  More CVE-2014-6271, Dyre,
>> Various Android, Nucom ADSL Cred disclosure, ZyXEL Cred disclosure.
>>
>> Thanks:  Livio Ricciulli,Packet Hack, @kafeine, @jaimeblascob, @abuse_ch.
>>
>>
>> [+++]          Added rules:          [+++]
>>
>> Open:
>>
>>  2019242 - ET TROJAN Linux/DDoS.M distributed via CVE-2014-6271
>> Checkin (trojan.rules)
>>  2019274 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
>> (current_events.rules)
>>  2019275 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
>> (current_events.rules)
>>  2019276 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
>> (current_events.rules)
>>  2019277 - ET CURRENT_EVENTS Possible Upatre SSL Cert santa.my
>> (current_events.rules)
>>  2019278 - ET CURRENT_EVENTS Possible Upatre SSL Cert glynwedasia.com
>> (current_events.rules)
>>  2019279 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
>> detected (TorrentLocker CnC) (trojan.rules)
>>  2019280 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
>> detected (TorrentLocker CnC) (trojan.rules)
>>  2019281 - ET TROJAN BlackEnergy v2 POST Request (trojan.rules)
>>  2019282 - ET CURRENT_EVENTS BlackEnergy Possbile SSL Cert Sept 26
>> 2014 (current_events.rules)
>>  2019283 - ET TROJAN BlackEnergy POST Request (trojan.rules)
>>  2019284 - ET ATTACK_RESPONSE Output of id command from HTTP server
>> (attack_response.rules)
>>  2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
>> to WebServer (web_server.rules)
>>  2019286 - ET TROJAN Job314 EK Payload Checkin (trojan.rules)
>>  2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing
>> (current_events.rules)
>>  2019288 - ET CURRENT_EVENTS DRIVEBY Possible Job314 EK JAR URI
>> Struct (current_events.rules)
>>  2019289 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
>> Proxy (exploit.rules)
>>  2019290 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
>> Proxy (exploit.rules)
>>
>>  Pro:
>>
>>  2808896 - ETPRO EXPLOIT All In One WP Security WordPress Plugin
>> Possible SQL Injection Attempt (exploit.rules)
>>  2808897 - ETPRO MOBILE_MALWARE AndroidOS.Ifacefone.A Checkin
>> (mobile_malware.rules)
>>  2808898 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.v Checkin
>> (mobile_malware.rules)
>>  2808899 - ETPRO TROJAN Win32/Spy.Zbot.ACB SSL Cert (trojan.rules)
>>  2808900 - ETPRO TROJAN Likely Trojan-Ransom.Win32.Foreign.lefc
>> .onion Proxy DNS lookup (trojan.rules)
>>  2808901 - ETPRO POLICY Likely icanhazip.com IP lookup over SSL
>> (policy.rules)
>>  2808902 - ETPRO TROJAN Win32/Rustock.G Checkin (trojan.rules)
>>  2808903 - ETPRO EXPLOIT Nucom ADSL ADSLR5000UN ISP Credential
>> Disclosure Attempt (exploit.rules)
>>  2808904 - ETPRO EXPLOIT ZyXEL Prestig P-660HNU-T1v2 Credential
>> Disclosure Attempt (exploit.rules)
>>  2808905 - ETPRO TROJAN Win32/Xorer.O Checkin (trojan.rules)
>>  2808906 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Maxit.a Checkin
>> (mobile_malware.rules)
>>
>>
>> [+++]  Enabled and modified rules:   [+++]
>>
>>  2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 1 (web_server.rules)
>>  2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 2 (web_server.rules)
>>  2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 3 (web_server.rules)
>>  2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 4 (web_server.rules)
>>  2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 5 (web_server.rules)
>>  2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 6 (web_server.rules)
>>  2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 7 (web_server.rules)
>>  2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 8 (web_server.rules)
>>  2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 9 (web_server.rules)
>>  2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 10 (web_server.rules)
>>  2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 11 (web_server.rules)
>>  2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 12 (web_server.rules)
>>  2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 13 (web_server.rules)
>>  2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 14 (web_server.rules)
>>  2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 15 (web_server.rules)
>>  2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 16 (web_server.rules)
>>  2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 17 (web_server.rules)
>>  2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 18 (web_server.rules)
>>  2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 19 (web_server.rules)
>>  2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 20 (web_server.rules)
>>  2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 21 (web_server.rules)
>>  2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 22 (web_server.rules)
>>  2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 23 (web_server.rules)
>>  2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 24 (web_server.rules)
>>  2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 25 (web_server.rules)
>>  2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 26 (web_server.rules)
>>  2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 27 (web_server.rules)
>>  2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 28 (web_server.rules)
>>  2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 29 (web_server.rules)
>>  2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
>> URLENCODE Generic 30 (web_server.rules)
>>
>>
>> [///]     Modified active rules:     [///]
>>
>>  2019181 - ET CURRENT_EVENTS Possible Android CVE-2014-6041
>> (current_events.rules)
>>  2019243 - ET TROJAN Infostealer.Boleteiro checking stolen boleto
>> payment information (trojan.rules)
>>  2805260 - ETPRO TROJAN Trojan.Win32.Jorik.Yoddos.no Checkin
>> (trojan.rules)
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>  _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140927/d92fb796/attachment-0001.html>


More information about the Emerging-sigs mailing list