[Emerging-updates] Daily Ruleset Update Summary 5/19/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Thu May 19 19:04:46 EDT 2011


[+++]          Added rules:          [+++]


 2012826 - ET CURRENT_EVENTS DNS Query to a Suspicious *.vv.cc domain (current_events.rules)
 2012827 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.vv.cc domain (current_events.rules)


And the Pro rules:

 2802820 - ETPRO WEB_CLIENT Adobe Audition Session File Stack Buffer Overflow 1 (web_client.rules)
 2802821 - ETPRO WEB_CLIENT Adobe Audition Session File Stack Buffer Overflow 2 (web_client.rules)
 2802822 - ETPRO TFTP HP Intelligent Management Center TFTP Server DATA and ERROR Packets Buffer Overflow 1 (tftp.rules)
 2802823 - ETPRO TFTP HP Intelligent Management Center TFTP Server DATA and ERROR Packets Buffer Overflow 2 (tftp.rules)
 2802824 - ETPRO TROJAN Win32.Fareit.A Checkin (trojan.rules)
 2802825 - ETPRO TROJAN Backdoor.Win32.Agent.bhxn Checkin (trojan.rules)
 2802826 - ETPRO TROJAN Trojan.Win32.Chowspy.A Checkin 1 (trojan.rules)
 2802827 - ETPRO TROJAN Trojan.Win32.Chowspy.A Checkin 2 (trojan.rules)
 2802828 - ETPRO TROJAN Win32.Fibbit.ax Checkin 1 (trojan.rules)
 2802829 - ETPRO TROJAN Win32.Fibbit.ax Checkin 2 (trojan.rules)
 2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)
 2802831 - ETPRO TROJAN Win32.Vilsel.baqb Checkin (trojan.rules)
 2802832 - ETPRO SCADA RealFlex RealWin FC_RFUSER_FCS_LOGIN Buffer Overflow (scada.rules)
 2802833 - ETPRO SCADA RealFlex RealWin FC_RFUSER_FCS_LOGIN Buffer Overflow (scada.rules)


[///]     Modified active rules:     [///]

 2003286 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source) (malware.rules)
 2003287 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source) (malware.rules)
 2011374 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.co.cc domain (current_events.rules)
 2011375 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.cz.cc domain (current_events.rules)
 2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
 2012115 - ET CURRENT_EVENTS DNS Query for a Suspicious Malware Related Numerical .in Domain (current_events.rules)
 2012330 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.rr.nu domain (current_events.rules)
 2012542 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.gv.vg domain (current_events.rules)
 2012593 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.ce.ms domain (current_events.rules)
 2012737 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.cw.cm domain (current_events.rules)
 2012810 - ET CURRENT_EVENTS Suspicious HTTP Request to a *.tk domain (current_events.rules)
 2012825 - ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt (web_specific_apps.rules)
 2402000 - ET DROP Dshield Block Listed Source (dshield.rules)


[///]    Modified inactive rules:    [///]

 2012650 - ET CURRENT_EVENTS HTTP Request to a Suspicious Malware Related Numerical .cn Domain (current_events.rules)


[---]         Removed rules:         [---]

 2012763 - ET TROJAN Suspicious IAT Checking for Debugger (trojan.rules)
 2012764 - ET TROJAN Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger (trojan.rules)
 2012765 - ET TROJAN Suspicious IAT GetStartupInfo (trojan.rules)
 2012766 - ET TROJAN Suspicious IAT GetComputerName (trojan.rules)
 2012767 - ET TROJAN Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC (trojan.rules)




----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list