[Emerging-updates] Daily Ruleset Update Summary 4/5/2012

Matt Jonkman jonkman at emergingthreatspro.com
Thu Apr 5 12:33:21 EDT 2012


Here's a supplemental ruleset push for this morning. We'll do another later today as well likely. 

This adds 35 new Open rules, and 5 Pro rules. 

Mac Flashback coverage added and file_data removed from a few suricata rules. 

[+++]          Added rules:          [+++]

Open rules:
 2014478 - ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain (current_events.rules)
 2014479 - ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain (current_events.rules)
 2014480 - ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain (current_events.rules)
 2014481 - ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain (current_events.rules)
 2014482 - ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain (current_events.rules)
 2014483 - ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain (current_events.rules)
 2014484 - ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)
 2014485 - ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)
 2014486 - ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain (current_events.rules)
 2014487 - ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain (current_events.rules)
 2014488 - ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain (current_events.rules)
 2014489 - ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain (current_events.rules)
 2014490 - ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain (current_events.rules)
 2014491 - ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain (current_events.rules)
 2014492 - ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain (current_events.rules)
 2014493 - ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain (current_events.rules)
 2014494 - ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain (current_events.rules)
 2014495 - ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain (current_events.rules)
 2014496 - ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain (current_events.rules)
 2014497 - ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain (current_events.rules)
 2014498 - ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain (current_events.rules)
 2014499 - ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain (current_events.rules)
 2014500 - ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain (current_events.rules)
 2014501 - ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain (current_events.rules)
 2014502 - ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)
 2014503 - ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)
 2014504 - ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain (current_events.rules)
 2014505 - ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain (current_events.rules)
 2014506 - ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain (current_events.rules)
 2014507 - ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain (current_events.rules)
 2014508 - ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain (current_events.rules)
 2014509 - ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain (current_events.rules)
 2014510 - ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain (current_events.rules)
 2014511 - ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain (current_events.rules)
 2014513 - ET TROJAN DNS Request for Zaletelly CnC Domain (trojan.rules)

Pro Subscriber rules:
 2804758 - ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection (current_events.rules)
 2804759 - ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)
 2804760 - ETPRO TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)
 2804761 - ETPRO TROJAN OSX/Flashback.K first execution checkin (trojan.rules)
 2804762 - ETPRO TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)


[///]     Modified active rules:     [///]

 2014313 - ET POLICY Executable Download From DropBox (policy.rules)
 2014333 - ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa (current_events.rules)
 2014353 - ET MALWARE W32/MediaGet.Adware Installer Download (malware.rules)
 2014474 - ET INFO JAVA - Java Class Download (info.rules)


[---]         Removed rules:         [---]

No longer March… Will add one for May if the net's still in use then:
 2804639 - ETPRO TROJAN Flashback Mac Malware Twitter CnC Request for March 2012 (trojan.rules)



        2014333 || ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/
        2014478 || ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain
        2014479 || ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain
        2014480 || ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain
        2014481 || ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain
        2014482 || ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain
        2014483 || ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain
        2014484 || ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain
        2014485 || ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain
        2014486 || ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain
        2014487 || ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain
        2014488 || ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain
        2014489 || ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain
        2014490 || ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain
        2014491 || ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain
        2014492 || ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain
        2014493 || ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain
        2014494 || ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain
        2014495 || ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain
        2014496 || ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain
        2014497 || ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain
        2014498 || ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain
        2014499 || ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain
        2014500 || ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain
        2014501 || ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain
        2014502 || ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain
        2014503 || ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain
        2014504 || ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain
        2014505 || ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain
        2014506 || ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain
        2014507 || ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain
        2014508 || ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain
        2014509 || ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain
        2014510 || ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain
        2014511 || ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain
        2014513 || ET TROJAN DNS Request for Zaletelly CnC Domain || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx
        2404198 || ET DROP Known Bot C&C Server Traffic (group 100)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC
        2404200 || ET DROP Known Bot C&C Server Traffic (group 101)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC
        2501724 || ET COMPROMISED Known Compromised or Hostile Host Traffic (863) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2804639 || ETPRO DELETED Flashback Mac Malware Twitter CnC Request for March 2012 || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/
        2804758 || ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2804759 || ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml|| url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2804760 || ETPRO TROJAN OSX/Flashback.K/I reporting failed infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2804761 || ETPRO TROJAN OSX/Flashback.K first execution checkin || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2804762 || ETPRO TROJAN OSX/Flashback.K/I User-Agent || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml


Removed:
        2014333 || ET CURRENT_EVENTS MAC/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/
        2520166 || ET TOR Known Tor Exit Node Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules
        2804639 || ETPRO TROJAN Flashback Mac Malware Twitter CnC Request for March 2012 || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/





----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-updates mailing list