[Emerging-updates] Daily Ruleset Update Summary 4/22/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Apr 22 14:49:25 EDT 2011

We've moved another chunk of gpl rules to the new sid range, and spent some time today on the Remote Desktop signatures. The GPL sig for a non-encrypted rdp session init was broken according to current spec and unable to fire. We've moved that to deleted to avoid wasted cycles until we can come up with an alternative. We've added several new rdp related sigs as you'll see below. 

Have a great weekend!
[+++]          Added rules:          [+++]

A sig in for a bot CnC that's reporting double headers, trying to fake one. 

 2012707 - ET CURRENT_EVENTS Suspicious double HTTP Header possible botnet CnC (current_events.rules)

New ones from Frank Knobbe, interesting oddity we should be interested in:

 2012708 - ET WEB_SERVER HTTP 414 Request URI Too Large (web_server.rules)

More granular looks at RDP connections:

 2012709 - ET POLICY MS Remote Desktop Administrator Login Request (policy.rules)
 2012710 - ET POLICY MS Terminal Server Root login (policy.rules)
 2012711 - ET POLICY MS Remote Desktop POS User Login Request (policy.rules)
 2012712 - ET POLICY MS Remote Desktop Service User Login Request (policy.rules)

And some Fake AV:

 2012713 - ET TROJAN Internet Protection FakeAV checkin (trojan.rules)
 2012714 - ET CURRENT_EVENTS FakeAV BestAntivirus2011 Download (current_events.rules)

The following are just moved up from the old sid range, only changes are perf tweaks and conversion to use Suricata's protocol recognition for some.

 2100144 - GPL FTP ADMw0rm ftp login attempt (ftp.rules)
 2100334 - GPL FTP .forward (ftp.rules)
 2100335 - GPL FTP .rhosts (ftp.rules)
 2100337 - GPL FTP CEL overflow attempt (ftp.rules)
 2100391 - GPL FTP APPE overflow attempt (ftp.rules)
 2101447 - GPL POLICY MS Remote Desktop Request RDP (policy.rules)
 2101621 - GPL FTP CMD overflow attempt (ftp.rules)
 2101920 - GPL FTP SITE NEWER overflow attempt (ftp.rules)
 2101921 - GPL FTP SITE ZIPCHK overflow attempt (ftp.rules)
 2101922 - GPL RPC portmap proxy attempt TCP (rpc.rules)
 2101923 - GPL RPC portmap proxy attempt UDP (rpc.rules)
 2101924 - GPL RPC mountd UDP export request (rpc.rules)
 2101925 - GPL RPC mountd TCP exportall request (rpc.rules)
 2101926 - GPL RPC mountd UDP exportall request (rpc.rules)
 2101927 - GPL FTP authorized_keys file transfered (ftp.rules)
 2101928 - GPL FTP shadow retrieval attempt (ftp.rules)
 2101930 - GPL IMAP auth literal overflow attempt (imap.rules)
 2101936 - GPL POP3 AUTH overflow attempt (pop3.rules)
 2101937 - GPL POP3 LIST overflow attempt (pop3.rules)
 2101938 - GPL POP3 XTND overflow attempt (pop3.rules)
 2101939 - GPL MISC bootp hardware address length overflow (misc.rules)
 2101940 - GPL MISC bootp invalid hardware type (misc.rules)
 2101941 - GPL TFTP GET filename overflow attempt (tftp.rules)
 2101942 - GPL FTP RMDIR overflow attempt (ftp.rules)
 2101945 - GPL WEB_SERVER unicode directory traversal attempt (web_server.rules)
 2101948 - GPL DNS zone transfer UDP (dns.rules)
 2101949 - GPL RPC portmap SET attempt TCP 111 (rpc.rules)
 2101950 - GPL RPC portmap SET attempt UDP 111 (rpc.rules)
 2101951 - GPL RPC mountd TCP mount request (rpc.rules)
 2101952 - GPL RPC mountd UDP mount request (rpc.rules)
 2101957 - GPL RPC sadmind UDP PING (rpc.rules)
 2101958 - GPL RPC sadmind TCP PING (rpc.rules)
 2101959 - GPL RPC portmap NFS request UDP (rpc.rules)
 2101960 - GPL RPC portmap NFS request TCP (rpc.rules)
 2101961 - GPL RPC portmap RQUOTA request UDP (rpc.rules)
 2101962 - GPL RPC portmap RQUOTA request TCP (rpc.rules)
 2101963 - GPL RPC RQUOTA getquota overflow attempt UDP (rpc.rules)
 2101964 - GPL RPC tooltalk UDP overflow attempt (rpc.rules)
 2101965 - GPL RPC tooltalk TCP overflow attempt (rpc.rules)
 2102449 - GPL FTP ALLO overflow attempt (ftp.rules)

[///]    Modified inactive rules:    [///]

 2007571 - ET POLICY Remote Desktop Connection via non RDP Port (policy.rules)
 2012622 - ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile (current_events.rules)

[///]     Modified active rules:     [///]

Expanded to be more accurate.

 2012608 - ET CURRENT_EVENTS Java Exploit Attempt applet via file URI (current_events.rules)

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-updates mailing list