[Emerging-updates] Daily Ruleset Update Summary 3/22/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Mar 22 14:49:56 EST 2011


We have some significant changes today. The CI-Army ruleset has updated for one. Please keep sending feedback there, we're finding it quite a good set of IPs. 

We have a large number of new SCADA signatures, and a new rules file scada_special.rules. Most of the new rules are in the usual SCADA category scada.rules (or emerging-scada.rules). These in scada_special are NOT for use without the Digital Bond SCADA preprocessors enabled! They will not be included in the all.rules files to avoid any accidents. The preprocessors are available for Snort 2.8.5.2 and 2.8.5.3 only at this time, and can be downloaded from Digital Bond at http://www.digitalbond.com/tools/quickdraw/. We will have these preprocessors available for Suricata very soon! 

Many thanks to the Digital Bond guys for the great SCADA work and for letting us redistribute and convert these to our ET supported platforms!


[+++]          Added rules:          [+++]

First, the usual new trojan and driveby stuff, thanks to their submitters!

 2012534 - ET SHELLCODE Unescape Variable %u Shellcode (shellcode.rules)
 2012535 - ET SHELLCODE Unescape Variable Unicode Shellcode (shellcode.rules)
 2012536 - ET MALWARE Mozilla 3.0 and Indy Library User-Agent Likely Hostile (malware.rules)
 2012537 - ET CURRENT_EVENTS Possible Zbot Trojan (current_events.rules)
 2012538 - ET CURRENT_EVENTS Possible Zbot Trojan (current_events.rules)
 2012539 - ET CURRENT_EVENTS Possible Rogue Antivirus (current_events.rules)
 2012540 - ET CURRENT_EVENTS Possible Win32 Backdoor Poison (current_events.rules)
 2012541 - ET TROJAN Downloader.small Generic Checkin (trojan.rules)


The new SCADA signatures:

 2801680 - ETPRO SCADA DNP3 Disable Unsolicited Responses (scada.rules)
 2801681 - ETPRO SCADA DNP3 Non-DNP3 Communication on a DNP3 Port (scada.rules)
 2801682 - ETPRO SCADA DNP3 Unsolicited Response Storm (scada.rules)
 2801683 - ETPRO SCADA DNP3 Cold Restart From Authorized Client (scada.rules)
 2801684 - ETPRO SCADA DNP3 Cold Restart From Unauthorized Client (scada.rules)
 2801685 - ETPRO SCADA DNP3 Unauthorized Read Request to a PLC (scada.rules)
 2801686 - ETPRO SCADA DNP3 Unauthorized Write Request to a PLC (scada.rules)
 2801687 - ETPRO SCADA DNP3 Unauthorized Miscellaneous Request to a PLC (scada.rules)
 2801688 - ETPRO SCADA DNP3 Stop Application (scada.rules)
 2801689 - ETPRO SCADA DNP3 Warm Restart (scada.rules)
 2801690 - ETPRO SCADA DNP3 Broadcast Request from Authorized Client (scada.rules)
 2801691 - ETPRO SCADA DNP3 Broadcast Request from Unauthorized Client (scada.rules)
 2801692 - ETPRO SCADA DNP3 Points List Scan (scada.rules)
 2801693 - ETPRO SCADA DNP3 Function Code Scan (scada.rules)
 2801710 - ETPRO SCADA Modbus TCP Force Listen Only Mode (scada.rules)
 2801711 - ETPRO SCADA Modbus TCP Restart Communications Option (scada.rules)
 2801712 - ETPRO SCADA Modbus TCP Clear Counters and Diagnostic Registers (scada.rules)
 2801713 - ETPRO SCADA Modbus TCP Read Device Identification (scada.rules)
 2801714 - ETPRO SCADA Modbus TCP Report Server Information (scada.rules)
 2801715 - ETPRO SCADA Modbus TCP Unauthorized Read Request to a PLC (scada.rules)
 2801716 - ETPRO SCADA Modbus TCP Unauthorized Write Request to a PLC (scada.rules)
 2801717 - ETPRO SCADA Modbus TCP Illegal Packet Size, Possible DOS Attack (scada.rules)
 2801718 - ETPRO SCADA Modbus TCP Non-Modbus Communication on TCP Port 502 (scada.rules)
 2801719 - ETPRO SCADA Modbus TCP Slave Device Busy Exception Code Delay (scada.rules)
 2801720 - ETPRO SCADA Modbus TCP Acknowledge Exception Code Delay (scada.rules)
 2801721 - ETPRO SCADA Modbus TCP Incorrect Packet Length, Possible DOS Attack (scada.rules)
 2801722 - ETPRO SCADA Modbus TCP Points List Scan (scada.rules)
 2801723 - ETPRO SCADA Modbus TCP Function Code Scan (scada.rules)
 2801724 - ETPRO SCADA WonderWare SuiteLink DOS Attempt (scada.rules)
 2801725 - ETPRO SCADA RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow (scada.rules)
 2801726 - ETPRO SCADA ClearSCADA Heap Overflow Attempt (scada.rules)
 2801727 - ETPRO SCADA Wonderware InBatch Buffer Overflow Attempt (scada.rules)
 2801728 - ETPRO SCADA Sielco Sistemi WinLog Stack Overflow Attempt (scada.rules)
 2801730 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 1 (scada.rules)
 2801731 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 2 (scada.rules)
 2801732 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 3 (scada.rules)
 2801733 - ETPRO SCADA NetBiter Config HICP Hostname Buffer Overflow (scada.rules)
 2801734 - ETPRO SCADA WellinTech KingView Remote Heap Overflow Attempt (scada.rules)

And these are the signatures that require the preprocessor:

  2801004 - ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 31) Reboot or Restart
  2801005 - ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 31) Reboot or Restart
  2801018 - ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 24) View Device Status
  2801019 - ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 47) Device Poll All
  2801055 - ETPRO SCADA_SPECIAL DIRECTLOGIC (Event 49) Request Controller ID
  2801093 - ETPRO SCADA_SPECIAL PROSOFT (Event 16) Failed Checksum Error
  2801094 - ETPRO SCADA_SPECIAL PROSOFT (Event 20) Function Not Available Error
  2801095 - ETPRO SCADA_SPECIAL PROSOFT (Event 21) Point Not Available
  2801096 - ETPRO SCADA_SPECIAL PROSOFT (Event 31) Reboot or Restart
  2801097 - ETPRO SCADA_SPECIAL PROSOFT (Event 31) Reboot or Restart
  2801098 - ETPRO SCADA_SPECIAL PROSOFT (Event 33)Change Date Attempt
  2801099 - ETPRO SCADA_SPECIAL PROSOFT (Event 33)Change Time Attempt
  2801103 - ETPRO SCADA_SPECIAL PROSOFT (Event 29)Software Upload
  2801104 - ETPRO SCADA_SPECIAL PROSOFT (Event 49) Request Controller ID
  2801107 - ETPRO SCADA_SPECIAL ROCKWELL (Event 31)Reboot or Restart
  2801108 - ETPRO SCADA_SPECIAL ROCKWELL (Event 31)Reboot or Restart
  2801109 - ETPRO SCADA_SPECIAL ROCKWELL (Event 11)Unlock PLC Attempt
  2801110 - ETPRO SCADA_SPECIAL ROCKWELL (Event 10)Lock PLC Attempt
  2801111 - ETPRO SCADA_SPECIAL ROCKWELL (Event 10)Lock PLC Attempt
  2801112 - ETPRO SCADA_SPECIAL ROCKWELL (Event 33)Change Date Attempt
  2801113 - ETPRO SCADA_SPECIAL ROCKWELL (Event 32)Change Time Attempt
  2801114 - ETPRO SCADA_SPECIAL ROCKWELL 2 Kick Timers detected
  2801115 - ETPRO SCADA_SPECIAL ROCKWELL Start detected
  2801116 - ETPRO SCADA_SPECIAL ROCKWELL (Event 12)Remote Mode Change Attempt
  2801117 - ETPRO SCADA_SPECIAL ROCKWELL 2 Kick Timers Detected
  2801118 - ETPRO SCADA_SPECIAL ROCKWELL Stop Detected
  2801119 - ETPRO SCADA_SPECIAL ROCKWELL (Event 12)Remote Mode Change Attempt
  2801120 - ETPRO SCADA_SPECIAL ROCKWELL 3 Kick Timers Detected
  2801121 - ETPRO SCADA_SPECIAL ROCKWELL (Event 12)Remote Mode Change Attempt
  2801122 - ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status
  2801123 - ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status
  2801124 - ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status
  2801125 - ETPRO SCADA_SPECIAL ROCKWELL (Event 29)Software Upload
  2801164 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 20) Function Not Available Error
  2801165 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 31) Reboot or Restart
  2801166 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 31) Reboot or Restart
  2801167 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 31) Reboot or Restart
  2801168 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 31) Reboot or Restart
  2801169 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 33)Date Change Attempt
  2801170 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 32)Time Change Attempt
  2801171 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 24) View Device Status
  2801694 - ETPRO SCADA_SPECIAL DNP3 Disable Unsolicited Responses - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801695 - ETPRO SCADA_SPECIAL DNP3 Non-DNP3 Communication on a DNP3 Port - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801696 - ETPRO SCADA_SPECIAL DNP3 Unsolicited Response Storm - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801697 - ETPRO SCADA_SPECIAL DNP3 Cold Restart From Authorized Client - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801698 - ETPRO SCADA_SPECIAL DNP3 Cold Restart From Unauthorized Client - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801699 - ETPRO SCADA_SPECIAL DNP3 Unauthorized Read Request to a PLC - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801700 - ETPRO SCADA_SPECIAL DNP3 Unauthorized Write Request to a PLC - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801701 - ETPRO SCADA_SPECIAL DNP3 Unauthorized Miscellaneous Request to a PLC - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801702 - ETPRO SCADA_SPECIAL DNP3 Stop Application - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801703 - ETPRO SCADA_SPECIAL DNP3 Warm Restart - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801704 - ETPRO SCADA_SPECIAL DNP3 Broadcast Request from Authorized Client - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801705 - ETPRO SCADA_SPECIAL DNP3 Broadcast Request from Unauthorized Client - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801706 - ETPRO SCADA_SPECIAL DNP3 Points List Scan - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801707 - ETPRO SCADA_SPECIAL DNP3 Function Code Scan - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801708 - ETPRO SCADA_SPECIAL DNP3 Time Change Attempt - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801709 - ETPRO SCADA_SPECIAL DNP3 Failed Checksum Error - url,digitalbond.com/tools/quickdraw/dnp3-rules
  2801751 - ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801752 - ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801753 - ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801754 - ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801755 - ETPRO SCADA_SPECIAL ENIP/CIP Unlock PLC Attempt from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801756 - ETPRO SCADA_SPECIAL ENIP/CIP Unlock PLC Attempt from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801757 - ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801758 - ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801759 - ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801780 - ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801781 - ETPRO SCADA_SPECIAL ENIP/CIP Stop Detected from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801782 - ETPRO SCADA_SPECIAL ENIP/CIP Stop Detected from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801783 - ETPRO SCADA_SPECIAL ENIP/CIP Remote Mode Change Attempt from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801784 - ETPRO SCADA_SPECIAL ENIP/CIP Remote Mode Change Attempt from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801785 - ETPRO SCADA_SPECIAL ENIP/CIP Software Upload from Unauthorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules
  2801786 - ETPRO SCADA_SPECIAL ENIP/CIP Software Upload from Authorized Client - url,digitalbond.com/tools/quickdraw/ethernetip-rules



And one lonely normal exploit sig.

 2801760 - ETPRO EXPLOIT Novell Netware FTP Server DELE Command Stack Buffer Overflow (exploit.rules)


[///]     Modified active rules:     [///]

Mostly performance tweaks here:

 2008277 - ET TROJAN Pakes Winifixer.com Related Checkin URL (trojan.rules)
 2008433 - ET TROJAN Pandex checkin detected (trojan.rules)
 2008506 - ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected (trojan.rules)
 2008542 - ET SCADA CitectSCADA ODBC Overflowflow Attempt (scada.rules)
 2009082 - ET TROJAN Password Stealer Reporting - ?a=%NN&b= (trojan.rules)
 2009092 - ET CURRENT_EVENTS New Malware Information Post (current_events.rules)
 2009094 - ET TROJAN Password Stealer (PSW.Win32.Magania Family) GET (trojan.rules)
 2009539 - ET TROJAN Downloader Infostealer - GET Checkin (trojan.rules)
 2009548 - ET VIRUS Adware/Spyware Adrotator for Rogue AV (virus.rules)
 2010230 - ET TROJAN W32.Koblu (trojan.rules)
 2011908 - ET CURRENT_EVENTS exploit kit x/exe.php?x=mdac (current_events.rules)
 2012521 - ET CURRENT_EVENTS Generic Win32 Banker Trojan CheckIn (current_events.rules)
 2800916 - ETPRO SCADA SCADA NetBiter webScada Directory Transversal (scada.rules)
 2800917 - ETPRO SCADA SCADA NetBiter webScada User Information Disclosure (scada.rules)
 2801604 - ETPRO WEB_CLIENT Microsoft Windows Indeo Filter iacenc.dll Insecure Library Loading - Set (web_client.rules)
 2801605 - ETPRO WEB_CLIENT Microsoft Windows Indeo Filter iacenc.dll Insecure Library Loading (web_client.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list