[Emerging-updates] Daily Ruleset Update Summary 5/31/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue May 31 15:30:39 EDT 2011


Loads of new good stuff today. About 30 new rules and some performance tweaks, as well as a Spamhaus update. 


[+++]          Added rules:          [+++]


In but disabled, these ought to help you catch users sending their passwords in the clear:

 2012885 - ET POLICY Http Client Body contains password= in cleartext (policy.rules)
 2012886 - ET POLICY Http Client Body contains passwd= in cleartext (policy.rules)
 2012887 - ET POLICY Http Client Body contains pass= in cleartext (policy.rules)
 2012888 - ET POLICY Http Client Body contains pwd= in cleartext (policy.rules)
 2012889 - ET POLICY Http Client Body contains pw= in cleartext (policy.rules)
 2012890 - ET POLICY Http Client Body contains passphrase= in cleartext (policy.rules)
 2012891 - ET POLICY Http Client Body contains pword= in cleartext (policy.rules)


There's always another ddos bot to sig...

 2012892 - ET TROJAN JKDDOS Bot CnC Phone Home Message (trojan.rules)
 2012893 - ET USER_AGENTS Known Skunkx DDOS Bot User-Agent Cyberdog (user_agents.rules)
 2012894 - ET TROJAN Dropper.Win32.Agent.bpxo Checkin (trojan.rules)
 2012895 - ET TROJAN Dropper.Win32.Agent.ahju Checkin (trojan.rules)


A few more TLD's that are bad news....

 2012896 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.ae.am domain (current_events.rules)
 2012897 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.noc.su domain (current_events.rules)
 2012898 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.be.ma domain (current_events.rules)
 2012899 - ET CURRENT_EVENTS HTTP Request to a Suspicious *.qc.cx domain (current_events.rules)
 2012900 - ET DNS DNS Query for a Suspicious *.ae.am domain (dns.rules)
 2012901 - ET DNS DNS Query for a Suspicious *.noc.su domain (dns.rules)
 2012902 - ET DNS DNS Query for a Suspicious *.be.ma domain (dns.rules)
 2012903 - ET DNS DNS Query for a Suspicious *.qc.cx domain (dns.rules)

An Android trojan:

 2012904 - ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server (mobile_malware.rules)


 2012905 - ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt (activex.rules)
 2012906 - ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set (web_client.rules)
 2012907 - ET WEB_CLIENT Download of PDF With Compressed Flash Content (web_client.rules)


Bergman is interesting, a couple rules for it:

 2012908 - ET TROJAN Backdoor Win32/Begman.A Checkin (trojan.rules)
 2012909 - ET USER_AGENTS Suspicious User-Agent Fragment (WORKED) (user_agents.rules)


And some Pro only rules:

 2802890 - ETPRO EXPLOIT McAfee Firewall Reporter isValidClient Remote Code Execution (exploit.rules)
 2802891 - ET EXPLOIT Novell ZENworks Asset Management File Upload Directory Traversal (exploit.rules)
 2802892 - ET EXPLOIT HP Intelligent Management Center img Buffer Overflow (exploit.rules)
 2802893 - ET USER_AGENTS Suspicious user agent (Google page) (user_agents.rules)
 2802894 - ET USER_AGENTS Suspicious user agent (HTTP-Engine) (user_agents.rules)
 2802895 - ET USER_AGENTS Suspicious user agent(Industry Update Control) (user_agents.rules)


[///]     Modified active rules:     [///]

Performance on some platforms

 2002157 - ET POLICY Skype User-Agent detected (policy.rules)




----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list