[Emerging-updates] Daily Ruleset Update Summary 5/20/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Fri May 20 14:52:26 EDT 2011


An RBN rulset update today as well as some new Stillsecure sigs, and as always a load more malware!


[+++]          Added rules:          [+++]

Moved from TROJAN to POLICY:

 2012692 - ET POLICY Microsoft user-agent automated process response to infected request (policy.rules)


 2012828 - ET TROJAN Win32/Rimecud download (trojan.rules)
 2012829 - ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012830 - ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012831 - ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012832 - ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012833 - ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012834 - ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012835 - ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability (web_specific_apps.rules)
 2012836 - ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt (web_specific_apps.rules)
 2012837 - ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt (web_specific_apps.rules)
 2012838 - ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt (web_specific_apps.rules)


And the ET Pro rules:

 2802834 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 1 (smtp.rules)
 2802835 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 2 (smtp.rules)
 2802836 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 3 (smtp.rules)
 2802837 - ETPRO SCADA 7T Interactive Graphical SCADA System File Operations Buffer Overflow 1 (scada.rules)
 2802838 - ETPRO SCADA 7T Interactive Graphical SCADA System File Operations Buffer Overflows 2 (scada.rules)
 2802839 - ETPRO EXPLOIT ISC DHCP dhclient Network Configuration Script Command Injection (exploit.rules)
 2802840 - ETPRO TROJAN Generic Checkin/Trojan.VAJO (trojan.rules)


[///]     Modified active rules:     [///]

Generalized for more coverage:

 2801607 - ETPRO TROJAN Generic Trojan/Win32.Chowspy.A Checkin (trojan.rules)


[---]         Disabled rules:        [---]

Disabling because of the amount of legitimate names in these tlds. But still valuable to some organizations:

 2011407 - ET DNS DNS Query for Suspicious .com.ru Domain (dns.rules)
 2011408 - ET DNS DNS Query for Suspicious .com.cn Domain (dns.rules)
 2011411 - ET DNS DNS Query for Suspicious .co.kr Domain (dns.rules)


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list