[Emerging-updates] Daily Ruleset Update Summary 5/28/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Sat May 28 10:12:02 EDT 2011


A lot of new malware and flash sigs today, a set of sigs from Stillsecure, as well as an RBN update. Enjoy!



[+++]          Added rules:          [+++]

From stillsecure:

 2012872 - ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012873 - ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012874 - ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012875 - ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012876 - ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012877 - ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012878 - ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012879 - ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012880 - ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012881 - ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt (web_specific_apps.rules)


 2012882 - ET TROJAN Backdoor.Win32.Poison.AU checkin (trojan.rules)
 2012883 - ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi (current_events.rules)
 2012884 - ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param (current_events.rules)


And the Pro sigs:

 2802873 - ETPRO WEB_CLIENT Adobe Flash SWF File version 10 Flowbit Set (web_client.rules)
 2802874 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 1 (web_client.rules)
 2802875 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 2 (web_client.rules)
 2802876 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 3 (web_client.rules)
 2802877 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 4 (web_client.rules)
 2802878 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 5 (web_client.rules)
 2802879 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 6 (web_client.rules)
 2802880 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 7 (web_client.rules)
 2802881 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 8 (web_client.rules)
 2802882 - ET CURRENT_EVENTS Driveby Crimepack Access cp.bat (current_events.rules)
 2802883 - ET CURRENT_EVENTS Driveby Crimepack CP-ENC-XXXX.php access (current_events.rules)
 2802884 - ETPRO WEB_SPECIFIC_APPS Cisco Common Services Framework Help Servlet Cross Site Scripting (web_specific_apps.rules)
 2802885 - ETPRO TROJAN Trojan.Win32.Dcbavict.A Checkin 1 (trojan.rules)
 2802886 - ETPRO TROJAN Trojan.Win32.Dcbavict.A Checkin 2 (trojan.rules)
 2802887 - ETPRO TROJAN Trojan.Win32.Dcbavict.A Checkin 3 (trojan.rules)
 2802888 - ET WEB_SPECIFIC_APPS AWStats Totals awstatstotals.php sort Parameter Code Execution (web_specific_apps.rules)
 2802889 - ETPRO WEB_SPECIFIC_APPS HP OpenView NNM nnmRptconfig.exe schdParams and nameParams Buffer Overflow (web_specific_apps.rules)



[---]         Disabled rules:        [---]

 2008380 - ET TROJAN Poison Ivy Key Exchange with CnC Init (trojan.rules)
 2008381 - ET TROJAN Poison Ivy Key Exchange with CnC Response (trojan.rules)


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list