[Emerging-updates] Daily Ruleset Update Summary 5/24/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue May 24 18:46:25 EDT 2011


A light update today. 

[+++]          Added rules:          [+++]

 2008238 - ET POLICY Hotmail Inbox Access (policy.rules)
 2012779 - ET POLICY Suspicious IAT FTP File Interaction (policy.rules)
 2012780 - ET POLICY Suspicious IAT SetKeyboardState - Can Be Used for Keylogging (policy.rules)
 2802863 - ET TROJAN Win32.CashOn!IK Checkin (trojan.rules)
 2802864 - ET CURRENT_EVENTS Driveby Crimepack requesting load.php (current_events.rules)


[///]     Modified active rules:     [///]

 2008239 - ET POLICY Hotmail Message Access (policy.rules)
 2008240 - ET POLICY Hotmail Compose Message Access (policy.rules)
 2008242 - ET POLICY Hotmail Access Full Mode (policy.rules)
 2008538 - ET SCAN Sqlmap SQL Injection Scan (scan.rules)
 2012757 - ET USER_AGENTS suspicious user agent string (CholTBAgent) (user_agents.rules)
 2402000 - ET DROP Dshield Block Listed Source (dshield.rules)


[///]    Modified inactive rules:    [///]

 2000036 - ET POLICY Hotmail Message Access (policy.rules)
 2000037 - ET POLICY Hotmail Compose Message Access (policy.rules)
 2000038 - ET POLICY Hotmail Compose Message Submit (policy.rules)
 2000039 - ET POLICY Hotmail Compose Message Submit Data (policy.rules)


[---]  Disabled and modified rules:  [---]

 2009414 - ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack (dos.rules)


[---]         Disabled rules:        [---]

 2008065 - ET POLICY Nginx Server with modified version string - Often Hostile Traffic (policy.rules)


[---]         Removed rules:         [---]

 2003073 - ET TROJAN ICMP Banking Trojan sending encrypted stolen data (trojan.rules)
 2012778 - ET TROJAN Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality (trojan.rules)
 2012779 - ET TROJAN Suspicious IAT FTP File Interaction (trojan.rules)
 2012780 - ET TROJAN Suspicious IAT SetKeyboardState - Can Be Used for Keylogging (trojan.rules)
 2012817 - ET TROJAN EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing (trojan.rules)


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list