[Emerging-updates] Daily Update Summary 1/6/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Jan 6 16:17:58 EST 2011


[+++]          Added rules:          [+++]

2012150 - ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI (web_server.rules)
2012151 - ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound (web_server.rules)

Not perfect sigs, they are evadable. but it's something...


2012152 - ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set (web_client.rules)
2012153 - ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution (web_client.rules)
2012154 - ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1 (exploit.rules)
2012155 - ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2 (exploit.rules)
2012156 - ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt (web_client.rules)
2012157 - ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call (activex.rules)
2012158 - ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt (activex.rules)

More of the usual stuff. 


2801220 - ETPRO WEB_CLIENT Microsoft Office PICT Image Converter Integer Overflow pic (web_client.rules)
2801221 - ETPRO WEB_CLIENT Microsoft Office PICT Image Converter Integer Overflow pct (web_client.rules)
2801222 - ETPRO WEB_CLIENT Microsoft Office PICT Image Converter Integer Overflow (web_client.rules)

Only three Pro sigs today, these are reliable and good on load.


[///]     Modified active rules:     [///]

2003494 - ET USER_AGENTS AskSearch Toolbar Spyware User-Agent (AskTBar) (user_agents.rules)
2003496 - ET USER_AGENTS AskSearch Toolbar Spyware User-Agent (AskBar) (user_agents.rules)

Just converted colons to |3a|.



[---]         Disabled rules:        [---]

2012137 - ET TROJAN Storm/Waledac 3.0 Checkin 1 (trojan.rules)

We expected this might false, and it is. Disabled, we'll remove it soon.



[---]         Removed rules:         [---]

2012144 - ET CURRENT_EVENTS Possible Malware Related Numerical .co Domain (current_events.rules)

Misunderstanding of the event, removed this rule.

Matt



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list