[Emerging-updates] Daily Ruleset Update Summary 5/18/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed May 18 17:12:49 EDT 2011


CI-Army ruleset has updated today, as well as some good new malware and web app sigs. 

[+++]          Added rules:          [+++]

 2012813 - ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set (web_client.rules)
 2012814 - ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt (web_client.rules)
 2012815 - ET CURRENT_EVENTS FAKEAV Scanner Landing Page (Initializing Virus Protection System...) (current_events.rules)


More of the IAT sigs from Kevin Ross. The previous set are proving quite reliable.

 2012816 - ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing (trojan.rules)
 2012817 - ET TROJAN EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing (trojan.rules)


 2012818 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt (web_specific_apps.rules)
 2012819 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt (web_specific_apps.rules)
 2012820 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt (web_specific_apps.rules)
 2012821 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt (web_specific_apps.rules)
 2012822 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt (web_specific_apps.rules)
 2012823 - ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt (web_specific_apps.rules)
 2012824 - ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt (web_specific_apps.rules)
 2012825 - ET WEB_SPECIFIC_APPS Cisco Common Services Framework Help Servlet Reflective XSS Attempt (web_specific_apps.rules)


And the Pro Rules:

 2802211 - ETPRO TROJAN Spy/Swisyn Variant Infection Report (trojan.rules)
 2802212 - ETPRO TROJAN Win32.Renos Checkin 2 (trojan.rules)
 2802818 - ETPRO WEB_SPECIFIC_APPS Quest Software Big Brother Arbitrary File Deletion and Overwriting (web_specific_apps.rules)
 2802819 - ETPRO WEB_SPECIFIC_APPS Quest Software Big Brother Arbitrary File Deletion and Overwriting (web_specific_apps.rules)


[+++]         Enabled rules:         [+++]


Back from disablement. Had dropped it for load, but it has been pointed out it's still highly valuable.

    3198 - GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian (netbios.rules)


[///]     Modified active rules:     [///]

 2010885 - ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables (trojan.rules)
 2012177 - ET CURRENT_EVENTS p2pshares.org Related Malware (current_events.rules)
 2012520 - ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set (web_client.rules)




----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list