[Emerging-updates] Second Daily Ruleset Update Summary 3/1/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Mar 1 18:46:53 EST 2011

This is a supplemental update. We had one earlier this morning, but the number of updates justifies a second update today. We're doing a bit of cleanup in the Current_events category. Moving some to trash that were already disabled, some moved into permanent categories as they've proven their worth. 

[+++]          Added rules:          [+++]

These all are moved from Current_events to permanent categories:
 2011343 - ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System (web_client.rules)
 2011391 - ET WEB_SERVER web shell detected (web_server.rules)
 2011422 - ET VOIP Possible Modified Sipvicious OPTIONS Scan (voip.rules)
 2011456 - ET WEB_CLIENT PROPFIND Flowbit Set (web_client.rules)
 2011457 - ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt (web_client.rules)
 2012250 - ET TROJAN Unknown Web Backdoor Keep-Alive (trojan.rules)
 2012292 - ET WEB_CLIENT Base64 Encoded FTP Commands Upload (21 > o&echo user 1 1 >> o &echo get) (web_client.rules)

New Open rules
 2012406 - ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt (web_specific_apps.rules)
 2012407 - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability (web_specific_apps.rules)
 2012408 - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability (web_specific_apps.rules)

New ET Pro Rules:
 2801396 - ETPRO MALWARE Hotbar Checkin and Report (malware.rules)
 2801397 - ETPRO TROJAN Generic FakeAV Install Report (trojan.rules)
 2801398 - ETPRO WEB_SPECIFIC_APPS Check Point Endpoint Security Server Information Disclosure Attempt (web_specific_apps.rules)
 2801399 - ETPRO USER_AGENTS Suspicious UA MyIE (user_agents.rules)
 2801400 - ETPRO TROJAN Unknown Trojan Checkin via Email Form (trojan.rules)
 2801401 - ETPRO TROJAN Unknown Trojan Checkin via Email Form Inbound (trojan.rules)

[///]     Modified active rules:     [///]

 2003626 - ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent) (user_agents.rules)
 2009991 - ET USER_AGENTS Suspicious User Agent (MyIE/1.0) (user_agents.rules)
 2011469 - ET CURRENT_EVENTS MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit (current_events.rules)
 2801327 - ETPRO WEB_CLIENT IE Jscript Decoding Information Disclosure Attempt (web_client.rules)

[///]    Modified inactive rules:    [///]

    1110 - GPL WEB_SERVER apache source.asp file access (web_server.rules)

These are modified for Suricata only to look at !$HTTP_PORTS instead of the port range we use in the Snort side. This will perform better with Suricata. See today's previous blog post about Suricata Enhancements for more information.
 2006408 - ET POLICY HTTP GET on unusual Port Possibly Hostile (policy.rules)
 2006409 - ET POLICY HTTP POST on unusual Port Possibly Hostile (policy.rules)

[---]         Disabled rules:        [---]

Disabling, set to move to Deleted over time. Please speak up if these are still hitting for you.

 2011369 - ET CURRENT_EVENTS DRIVEBY phoenix exploit kit landing page (current_events.rules)
 2011896 - ET CURRENT_EVENTS ZBot sp107fb/photo.exe (current_events.rules)
 2011992 - ET CURRENT_EVENTS Possible ProFTPD Backdoor Initiate Attempt (current_events.rules)
 2011993 - ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent (current_events.rules)

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-updates mailing list