[Emerging-updates] Live Commit Output

emerging@emergingthreats.net emerging at emergingthreats.net
Sat Mar 8 21:31:37 EST 2008


[***] Results from Oinkmaster started Sat Mar  8 21:31:37 2008 [***]

[+++]          Added rules:          [+++]

 2007611 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-virus.rules)
 2007612 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-virus.rules)
 2007613 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-virus.rules)
 2007614 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-virus.rules)
 2007950 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2007949 - ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis (bleeding-virus.rules)


[---]         Removed rules:         [---]

 2007611 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-policy.rules)
 2007612 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-policy.rules)
 2007613 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-policy.rules)
 2007614 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-policy.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body

     -> Added to bleeding-sid-msg.map.txt (6):
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body

     -> Added to bleeding-virus.rules (3):
        # A large number of trojans report an infection by sending a blank email to a gmail or other free provider
        # They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
        # This sig should catch them outbound

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        # $Id: bleeding-attack_response.rules $

     -> Removed from bleeding-dos.rules (1):
        # $Id: bleeding-dos.rules $

     -> Removed from bleeding-exploit.rules (1):
        # $Id: bleeding-exploit.rules $

     -> Removed from bleeding-game.rules (1):
        # $Id: bleeding-game.rules $

     -> Removed from bleeding-inappropriate.rules (1):
        # $Id: bleeding-inappropriate.rules $

     -> Removed from bleeding-malware.rules (1):
        # $Id: bleeding-malware.rules $

     -> Removed from bleeding-p2p.rules (1):
        # $Id: bleeding-p2p.rules $

     -> Removed from bleeding-policy.rules (4):
        # $Id: bleeding-policy.rules $
        # A large number of trojans report an infection by sending a blank email to a gmail or other free provider
        # They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
        # This sig should catch them outbound

     -> Removed from bleeding-scan.rules (1):
        # $Id: bleeding-scan.rules $

     -> Removed from bleeding-sid-msg.map (5):
        2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007949 || ET TROJAN Medbod UDP Phone Home Packet

     -> Removed from bleeding-sid-msg.map.txt (5):
        2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007949 || ET TROJAN Medbod UDP Phone Home Packet

     -> Removed from bleeding-virus.rules (1):
        # $Id: bleeding-virus.rules $

     -> Removed from bleeding-voip.rules (1):
        # $Id: bleeding-voip.rules $

     -> Removed from bleeding-web.rules (1):
        # $Id: bleeding-web.rules $

     -> Removed from bleeding-web_sql_injection.rules (1):
        # $Id: bleeding-web_sql_injection.rules $

     -> Removed from bleeding.rules (1):
        # $Id: bleeding.rules $



More information about the Emerging-updates mailing list