[Emerging-updates] Daily Ruleset Update Summary 4/29/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Apr 29 17:34:39 EDT 2011


More malware, some specific web apps, and a batch of GPL sigs moved to the new sid range.

Have a great weekend!


[+++]          Added rules:          [+++]

 2012650 - ET CURRENT_EVENTS All Numerical .cn Domain HTTP Request Likely Malware Related (current_events.rules)
 2012735 - ET POLICY Browser Search Bar User-Agent String (Babylon) (policy.rules)
 2012736 - ET CURRENT_EVENTS Trojan-GameThief.Win32.OnLineGames.bnye Checkin (current_events.rules)
 2012739 - ET WORM Rimecud Worm checkin (worm.rules)
 2012740 - ET USER_AGENTS Backdoor.Win32.Vertexbot.A Checkin UA (user_agents.rules)
 2012741 - ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt (activex.rules)
 2012742 - ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call (activex.rules)
 2012743 - ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012744 - ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012745 - ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012746 - ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012747 - ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012748 - ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012749 - ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012750 - ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012751 - ET USER_AGENTS suspicious user agent string (changhuatong) (user_agents.rules)
 2012752 - ET USER_AGENTS Vertex Trojan UA (VERTEXNET) (user_agents.rules)
 2012753 - ET MALWARE Possible FakeAV Binary Download (malware.rules)
 2012754 - ET SCAN Possible SQLMAP Scan (scan.rules)
 2012755 - ET SCAN Possible SQLMAP Scan (scan.rules)
 2012756 - ET WEB_CLIENT Windows Help and Support Center XSS Attempt (web_client.rules)
 2012757 - ET USER_AGENTS suspicious user agent string (CholTBAgent) (user_agents.rules)
 2101882 - GPL ATTACK_RESPONSE id check returned userid (attack_response.rules)
 2101883 - GPL ATTACK_RESPONSE id check returned nobody (attack_response.rules)
 2101884 - GPL ATTACK_RESPONSE id check returned web (attack_response.rules)
 2101885 - GPL ATTACK_RESPONSE id check returned http (attack_response.rules)
 2101886 - GPL ATTACK_RESPONSE id check returned apache (attack_response.rules)
 2101888 - GPL FTP SITE CPWD overflow attempt (ftp.rules)
 2101891 - GPL RPC status GHBN format string attack (rpc.rules)
 2101892 - GPL SNMP null community string attempt (snmp.rules)
 2101893 - GPL SNMP missing community string attempt (snmp.rules)
 2101894 - GPL EXPLOIT kadmind buffer overflow attempt (exploit.rules)
 2101895 - GPL EXPLOIT kadmind buffer overflow attempt (exploit.rules)
 2101896 - GPL EXPLOIT kadmind buffer overflow attempt (exploit.rules)
 2101897 - GPL EXPLOIT kadmind buffer overflow attempt (exploit.rules)
 2101898 - GPL EXPLOIT kadmind buffer overflow attempt 2 (exploit.rules)
 2101899 - GPL EXPLOIT kadmind buffer overflow attempt 3 (exploit.rules)
 2802096 - ETPRO TROJAN Trojan.Win32.Sefnit Checkin (trojan.rules)
 2802097 - ETPRO TROJAN Trojan.MSIL.Qhost.ajb checkin (trojan.rules)
 2802098 - ETPRO TROJAN Trojan.MSIL.Qhost.ajb Activity (trojan.rules)
 2802099 - ETPRO TROJAN Backdoor.Win32.Rewdulon.A Checkin (trojan.rules)


[///]     Modified active rules:     [///]

 2002400 - ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) (user_agents.rules)
 2011007 - ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt (activex.rules)
 2011125 - ET POLICY Maxthon Browser Background Agent UA (MxAgent) (policy.rules)
 2802083 - ETPRO ATTACK_RESPONSE MediaCast Password Dump Attack Response (attack_response.rules)


[---]         Removed rules:         [---]

 2012650 - ET MALWARE All Numerical .cn Domain HTTP Request Likely Malware Related (malware.rules)
 2012735 - ET USER_AGENTS Suspicious User-Agent String (Babylon) (user_agents.rules)
 2012736 - ET TROJAN Trojan-GameThief.Win32.OnLineGames.bnye Checkin (trojan.rules)
 2801927 - ETPRO USER_AGENTS Backdoor.Win32.Vertexbot.A Checkin UA (user_agents.rules)


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list