[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/21

Brandon Murphy bmurphy at emergingthreats.net
Tue Apr 21 14:28:14 HDT 2020


[***]            Summary:            [***]

 11 new Open, 28 new Pro (11 + 17). JS Skimmer, IBM Data Risk Manager
Exploits, ELF/TheMoon.Linksys, Various Phishing.

 Many rules in the Suricata 5 ruleset have been updated with Suricata 5
rule syntax/keywords. A complete list of rules that were changed can be
found via the changelog here:

https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-21T23:06:57.txt

 Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]


Open:

  2029982 - ET TROJAN MalDoc Requesting Payload 2020-04-21 (trojan.rules)
  2029983 - ET WEB_SERVER Possible Apache DDos UA Observed (DDos Apache)
Outbound (web_server.rules)
  2029984 - ET WEB_CLIENT Possible Apache DDos UA Observed (DDos Apache)
Inbound (web_client.rules)
  2029985 - ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP
Scan (exploit.rules)
  2029986 - ET EXPLOIT IBM Data Risk Manager Authentication Bypass -
Session ID Assignment (set) (exploit.rules)
  2029987 - ET EXPLOIT IBM Data Risk Manager Authentication Bypass -
Password Retrieval (exploit.rules)
  2029988 - ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass
- Session ID Assignment (exploit.rules)
  2029989 - ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass
- Password Retrieval (exploit.rules)
  2029990 - ET EXPLOIT IBM Data Risk Manager Arbitrary File Download
Attempt (exploit.rules)
  2029991 - ET MALWARE JS Skimmer Domain in DNS Lookup (malware.rules)
  2029992 - ET MALWARE JS Skimmer Domain in DNS Lookup (malware.rules)

Pro:

  2842115 - ETPRO TROJAN MalDoc Requesting Payload 2020-04-21 (trojan.rules)
  2842116 - ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)
(user_agents.rules)
  2842117 - ETPRO WORM ELF/TheMoon.Linksys Worm Activity (Outbound)
(worm.rules)
  2842118 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M1
(trojan.rules)
  2842119 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M2
(trojan.rules)
  2842120 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M3
(trojan.rules)
  2842121 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 1) (trojan.rules)
  2842122 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 2) (trojan.rules)
  2842123 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 3) (trojan.rules)
  2842124 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 4) (trojan.rules)
  2842125 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
  2842126 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
  2842127 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
  2842128 - ETPRO CURRENT_EVENTS Successful Advanzia Bank Phish 2020-04-21
(current_events.rules)
  2842129 - ETPRO CURRENT_EVENTS Successful Advanzia Bank Phish 2020-04-21
(current_events.rules)
  2842130 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M6
(trojan.rules)
  2842131 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)


[///]     Modified active rules:     [///]


  2842073 - ETPRO TROJAN BazaLoader Variant CnC (Checkin) (trojan.rules)
  2842090 - ETPRO TROJAN BazaLoader CnC (Download Request) (trojan.rules)


[---]  Disabled and modified rules:  [---]

  2011121 - ET TROJAN Phoenix Exploit Kit Facebook phishing page payload
could be ZeuS (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200421/ce8206c9/attachment.html>


More information about the Emerging-sigs mailing list