[Emerging-updates] Daily Update Summary 17/1/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Jan 17 13:37:23 EST 2011


[+++]          Added rules:          [+++]

 2012195 - ET POLICY Nginx Serving EXE/DLL File Often Malware Related (policy.rules)
 2012196 - ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation (shellcode.rules)
 2012197 - ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2 (shellcode.rules)

In but disabled by default. May false, but will be interesting for heavy malware environments, or investigations.


 2012198 - ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.ini (current_events.rules)
 2012199 - ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.xls (worm.rules)
 2012200 - ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.doc (worm.rules)
 2012201 - ET CURRENT_EVENTS Possible Worm Sohanad.Z or Other Infection Request for setting.nql (worm.rules)

May false, but real hits are about the only way we can sig this trojan.


 2801262 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated OOAMS Shutdown (sql.rules)
 2801263 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated Lock Server Shutdown (sql.rules)

And some new pro rules. 



[///]     Modified active rules:     [///]

 2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt (activex.rules)


[---]         Disabled rules:        [---]

 2012180 - ET USER_AGENTS Suspicious User Agent no space (user_agents.rules)
 2800800 - ETPRO WEB_CLIENT RealNetworks RealPlayer FLV Parsing Two Integer Overflow Vulnerability 1 (web_client.rules)
 2800803 - ETPRO WEB_CLIENT RealNetworks RealPlayer FLV Parsing Two Integer Overflow Vulnerability 2 (web_client.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list