[Emerging-updates] Daily Ruleset Update Summary 3/29/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Mar 30 11:58:20 EST 2011


We have the last of the SCADA sigs for the Luigi vulnerabilities today for Factorylink. We highly recommend you run those if you have this equipment on site. Other additions include some updated and new drive by exploit sigs and Windows OpenType vulns. Enjoy!

[+++]          Added rules:          [+++]

2010497 - ET CURRENT_EVENTS Facebook Spam Inbound (1) (current_events.rules)
2012169 - ET TROJAN Potential Blackhole Exploit Pack Binary Load Request (trojan.rules)
2012593 - ET CURRENT_EVENTS Suspicious HTTP Request to a *.ce.ms Domain (current_events.rules)
2012595 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT (web_specific_apps.rules)
2012596 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT (web_specific_apps.rules)
2012597 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT (web_specific_apps.rules)
2012598 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE (web_specific_apps.rules)
2012599 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII (web_specific_apps.rules)
2012600 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE (web_specific_apps.rules)
2012601 - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2012603 - ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2012604 - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
2012605 - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt (web_specific_apps.rules)

And the Pro Rules:

2801886 - ETPRO EXPLOIT HP OpenView Network Node Manager nnmRptConfig.exe schd_select1 Remote Code Execution (exploit.rules)
2801887 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Magic Bytes - SET (web_client.rules)
2801888 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 1 (web_client.rules)
2801889 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 2 (web_client.rules)
2801890 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 3 (web_client.rules)
2801891 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 4 (web_client.rules)
2801892 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 5 (web_client.rules)
2801893 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 6 (web_client.rules)
2801894 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 7 (web_client.rules)
2801895 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 8 (web_client.rules)
2801896 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 9 (web_client.rules)
2801897 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 10 (web_client.rules)
2801898 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 11 (web_client.rules)
2801899 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 12 (web_client.rules)
2801900 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 13 (web_client.rules)
2801901 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 14 (web_client.rules)
2801902 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 15 (web_client.rules)
2801903 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 16 (web_client.rules)
2801904 - ETPRO EXPLOIT Novell iManager ClassName Remote Buffer Overflow (exploit.rules)
2801905 - ETPRO EXPLOIT HP Power Manager Administration Web Server Stack Buffer Overflow (exploit.rules)
2801906 - ETPRO WEB_CLIENT Microsoft Office Excel ADO Object Parsing Code Execution - SET (web_client.rules)
2801907 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 10 buffer overflow (scada.rules)
2801908 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 10 buffer overflow 2 (scada.rules)
2801909 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 9 buffer overflow (scada.rules)
2801910 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 9 buffer overflow 2 (scada.rules)
2801911 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 8 arbitrary file download (scada.rules)
2801912 - ETPRO SCADA Siemens Tecnomatix FactoryLink vrn.exe opcode 8 arbitrary file download 2 (scada.rules)
2801913 - ETPRO WEB_CLIENT Microsoft Office Excel ADO Object Parsing Code Execution (web_client.rules)


[///]     Modified active rules:     [///]

2010644 - ET CURRENT_EVENTS UPS Spam Inbound (current_events.rules)




----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list