[Emerging-updates] Daily Ruleset Update Summary 3/25/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Mar 25 13:50:11 EST 2011


We have some more SCADA sigs for the recent vulnerabilities, and a slew of new specific web app sigs. Have a great weekend!

[+++]          Added rules:          [+++]

 2012555 - ET USER_AGENTS Suspicious User-Agent (VMozilla) (user_agents.rules)
 2012556 - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012557 - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012558 - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012559 - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012560 - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012561 - ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012562 - ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012563 - ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012564 - ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012565 - ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt (web_specific_apps.rules)
 2012566 - ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt (web_specific_apps.rules)
 2012567 - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012568 - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012569 - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012570 - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012571 - ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt (web_specific_apps.rules)
 2012572 - ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt (web_specific_apps.rules)
 2012573 - ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt (web_specific_apps.rules)
 2012574 - ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt (web_specific_apps.rules)
 2012575 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT (web_specific_apps.rules)
 2012576 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT (web_specific_apps.rules)
 2012577 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT (web_specific_apps.rules)
 2012578 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE (web_specific_apps.rules)
 2012579 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII (web_specific_apps.rules)
 2012580 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE (web_specific_apps.rules)
 2012581 - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012582 - ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012583 - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012584 - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012585 - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)


And the SCADA sigs:

 2801868 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path Buffer Overflow (scada.rules)
 2801869 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter Buffer Overflow (scada.rules)
 2801870 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile path Buffer Overflow (scada.rules)
 2801871 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo path Buffer Overflow (scada.rules)
 2801872 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path possible file download (scada.rules)
 2801873 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter possible file download (scada.rules)
 2801874 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile possible file download (scada.rules)
 2801875 - ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo possible file download (scada.rules)


[///]     Modified active rules:     [///]

 2010882 - ET POLICY .pdf File Containing Javascript (policy.rules)
 2011866 - ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF (web_client.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list