[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/09

Travis Green tgreen at emergingthreats.net
Mon Feb 12 11:17:49 HST 2018


Thanks, we'll get that fixed for today's release.

-Travis

On Mon, Feb 12, 2018 at 2:12 PM, rmkml <rmkml at yahoo.fr> wrote:

> Thx for sharing update,
>
> Could you check possible FN because /r/n -> \r\n ?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Successful Generic .EDU Phish (Legit Set)";
> flow:to_server,established; content:".edu|0d 0a|"; http_header;
> pcre:"/^Host\x3a\x20[^/r/n]+\.edu/r/n/Hmi"; flowbits:set,ET.realEDUrequest;
> flowbits:noalert; metadata: former_category CURRENT_EVENTS;
> classtype:not-suspicious; sid:2025333; rev:2; metadata:attack_target
> Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at
> 2018_02_09, updated_at 2018_02_09;)
>
> Discovered during http://etplc.org open source project update.
>
> Best Regards
> @Rmkml
>
>
>
> On Fri, 9 Feb 2018, Travis Green wrote:
>
>
>> [***]            Summary:            [***]
>>
>> 9 new Open, 19 new Pro (9 + 10). Shurl0ckr Ransomware, OilRig RGDoor,
>> Various Phishing.
>>
>>
>> [+++]          Added rules:          [+++]
>>
>> Open:
>>
>>  2025332 - ET TROJAN Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion
>> .to in DNS Lookup) (trojan.rules)
>>  2025333 - ET CURRENT_EVENTS Successful Generic .EDU Phish (Legit Set)
>> (current_events.rules)
>>  2025334 - ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M1
>> (current_events.rules)
>>  2025335 - ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M1
>> (current_events.rules)
>>  2025336 - ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M2
>> (current_events.rules)
>>  2025337 - ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-09
>> (current_events.rules)
>>  2025338 - ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M2
>> (current_events.rules)
>>  2025339 - ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-09
>> (current_events.rules)
>>  2025340 - ET CURRENT_EVENTS Mailbox Revalidation Phishing Landing
>> 2018-02-09 (current_events.rules)
>>
>> Pro:
>>
>>  2829617 - ETPRO EXPLOIT Adobe Flash Use After Free (CVE-2017-4877)
>> (exploit.rules)
>>  2829618 - ETPRO TROJAN Chthonic CnC Beacon 13 (trojan.rules)
>>  2829619 - ETPRO TROJAN OilRig RGDoor Implant Communicating with CnC
>> (trojan.rules)
>>  2829620 - ETPRO TROJAN Chthonic CnC Beacon Generic M1 (trojan.rules)
>>  2829621 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2018-02-09 1) (trojan.rules)
>>  2829622 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2018-02-09 2) (trojan.rules)
>>  2829623 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2018-02-09 3) (trojan.rules)
>>  2829624 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2018-02-09 4) (trojan.rules)
>>  2829625 - ETPRO TROJAN Chthonic CnC Beacon 14 (trojan.rules)
>>  2829626 - ETPRO TROJAN NameCoin .bit DNS Sinkhole Response (trojan.rules)
>>
>>
>> [///]     Modified active rules:     [///]
>>
>>  2827572 - ETPRO CURRENT_EVENTS Successful Generic .EDU Phish Aug 17 2017
>> (current_events.rules)
>>  2828734 - ETPRO TROJAN Powerstats C2 (trojan.rules)
>>  2829308 - ETPRO TROJAN MSIL/Remcos Variant CnC Checkin (trojan.rules)
>>  2829459 - ETPRO TROJAN Win32/Agent.ZGL Variant W32/UDPOS Checkin
>> (trojan.rules)
>>
>>
>> --
>> PGP: 0xBED7B297
>>
>>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180212/05a1fa78/attachment.html>


More information about the Emerging-sigs mailing list