[Emerging-updates] Daily Ruleset Update Summary 4/26/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Apr 26 18:45:28 EDT 2011


A good deal of performance tweaking today and 

[+++]          Added rules:          [+++]

Some new specific apps sigs from Stillsecure:

2012715 - ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
2012716 - ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
2012717 - ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
2012718 - ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
2012719 - ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
2012720 - ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt (web_specific_apps.rules)
2012721 - ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt (web_specific_apps.rules)
2012722 - ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability (web_specific_apps.rules)
2012723 - ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability (web_specific_apps.rules)
2012724 - ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt (web_specific_apps.rules)


Malware and scan sigs from the community:

2012725 - ET TROJAN Win32/FakeSysdef Rogue AV Checkin (trojan.rules)
2012726 - ET SCAN OpenVAS User-Agent Inbound (scan.rules)
2012727 - ET TROJAN BestAntivirus2011 Fake AV reporting (trojan.rules)


And experimenting again with some of the eternal malware domains that never seem to get taken down, despite our attempts. We'll expand this with the help of David Glosser at malwaredomains.com depending on performance.

2012728 - ET CURRENT_EVENTS Known Hostile Domain citi-bank.ru Lookup (current_events.rules)
2012729 - ET CURRENT_EVENTS Known Hostile Domain .ntkrnlpa.info Lookup (current_events.rules)
2012730 - ET CURRENT_EVENTS Known Hostile Domain ilo.brenz.pl Lookup (current_events.rules)


And moving another batch of GPL rules into the new sid range:

2101900 - GPL EXPLOIT successful kadmind buffer overflow attempt (exploit.rules)
2101901 - GPL EXPLOIT successful kadmind buffer overflow attempt (exploit.rules)
2101902 - GPL IMAP lsub literal overflow attempt (imap.rules)
2101903 - GPL IMAP rename overflow attempt (imap.rules)
2101904 - GPL IMAP find overflow attempt (imap.rules)
2101907 - GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt (rpc.rules)
2101908 - GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt (rpc.rules)
2101909 - GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt (rpc.rules)
2101912 - GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (rpc.rules)
2101913 - GPL RPC STATD UDP stat mon_name format string exploit attempt (rpc.rules)
2101914 - GPL RPC STATD TCP stat mon_name format string exploit attempt (rpc.rules)
2101915 - GPL RPC STATD UDP monitor mon_name format string exploit attempt (rpc.rules)
2101916 - GPL RPC STATD TCP monitor mon_name format string exploit attempt (rpc.rules)
2101917 - GPL MISC UPnP service discover attempt (misc.rules)
2101918 - GPL SCAN SolarWinds IP scan attempt (scan.rules)
2101919 - GPL FTP CWD overflow attempt (ftp.rules)


And you rET Pro rules for today. lots of good malware. Just what we love!

2802072 - ETPRO TROJAN Trojan.Win32.Carberp.C Checkin (trojan.rules)
2802073 - ETPRO TROJAN Trojan.Win32.Carberp.C Checkin 2 (trojan.rules)
2802074 - ETPRO TROJAN Trojan.Win32.Carberp.C Checkin 3 (trojan.rules)
2802075 - ETPRO TROJAN Trojan.Win32.Carberp.C Checkin 4 (trojan.rules)
2802076 - ETPRO TROJAN Trojan.Win32.KLCCs.A Checkin (trojan.rules)
2802077 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 1 (trojan.rules)
2802078 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 2 (trojan.rules)
2802079 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 3 (trojan.rules)
2802080 - ETPRO TROJAN Trojan.Win32.Funcoes.A Checkin (trojan.rules)
2802084 - ETPRO TROJAN Backdoor.Win32.Mecklow.A Checkin (trojan.rules)
2802085 - ETPRO TROJAN Win32.VBKrypt.xiz Checkin (trojan.rules)
2802086 - ETPRO TROJAN Keylogger Win32.SMTP-Mailer.eqX at aK!Aqep Logging Start Email Sent (trojan.rules)


Another variation of the LLMNR vulnerability:

2802081 - ETPRO EXPLOIT Microsoft Windows LLMNR Request Stack Memory Corruption (exploit.rules)


And some research from one of our own, Dan Clemens at Packetninjas:

2802082 - ETPRO ATTACK_RESPONSE MediaCast Password Dump Attempt Flowbit Set (attack_response.rules)
2802083 - ETPRO ATTACK_RESPONSE MediaCast Password Dump Attack Response (attack_response.rules)



[///]     Modified active rules:     [///]

Modified for http_stat_msg performance:

2009295 - ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0) (user_agents.rules)
2010908 - ET USER_AGENTS Suspicious Mozilla User-Agent Inbound Likely Fake (Mozilla/5.0) (user_agents.rules)


[///]    Modified inactive rules:    [///]

Same

2011085 - ET POLICY HTTP Redirect to IPv4 Address (policy.rules)


[---]         Disabled rules:        [---]

For performance, and limited attacks.

2801461 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution (web_client.rules)


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list