[Emerging-updates] Daily Ruleset Update Summary 08/21/2014

Will Metcalf wmetcalf at emergingthreatspro.com
Thu Aug 21 23:28:35 EDT 2014


Fix is live. Sorry for the trouble.

Regards,

Will


On Thu, Aug 21, 2014 at 8:51 PM, Keith Butler <
emergingthreats at netoffense.com> wrote:

> SID 2018984 needs a ‘U’ added to the pcre modifier.  It’s failing due to
> the preceding match being constrained to the http_uri:
>
> 22/8/2014 -- 01:28:51 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - pcre with /R (relative) needs preceeding match in the same buffer
> 22/8/2014 -- 01:28:51 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any
> (msg:"ET TROJAN PlugX variant"; flow:to_server,established; content:"GET";
> http_method; content:"/p/"; depth:3; http_uri;
> pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R";
> content:"code.google.com"; fast_pattern:only; http_header;
> content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|";
> http_header; content:!"Connection|3a 20|"; http_header; threshold: type
> both, count 1, seconds 30, track by_src;
> reference:md5,e2a4b96cce9de4fb126cfd5f5c73c3ed; reference:url,
> researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/;
> reference:url,
> www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html;
> classtype:trojan-activity; sid:2018984; rev:3;)" from file
> /etc/suricata/rules/suricata.rules at line 13796
>
>
> It loads successfully after changing:
> FR:
>  pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R
> TO:
>  pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/UR
>
> -kb
>
> On Aug 21, 2014, at 10:25 PM, Francis Trudeau <
> ftrudeau at emergingthreats.net> wrote:
>
> > [***] Summary: [***]
> >
> > 9 Open signatures, 21 Pro (9+13).  OneLouder, Machete, Various
> > Android, SillyFDC.
> >
> > Thanks:  @jaimeblascob, @EKWatcher and Nathan Fowler.
> >
> > [+++]          Added rules:          [+++]
> >
> >  Open:
> >
> >  2018976 - ET MALWARE Hoic.zip retrieval (malware.rules)
> >  2018977 - ET MALWARE HOIC with booster outbound (malware.rules)
> >  2018978 - ET WEB_SERVER HOIC with booster inbound (web_server.rules)
> >  2018979 - ET TROJAN Miras C2 Activity (trojan.rules)
> >  2018980 - ET TROJAN Machete FTP activity (trojan.rules)
> >  2018981 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> > (current_events.rules)
> >  2018982 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> > exe download (current_events.rules)
> >  2018983 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> > (current_events.rules)
> >  2018984 - ET TROJAN PlugX variant (trojan.rules)
> >
> >  Pro:
> >
> >  2808599 - ETPRO TROJAN Win32/Bancos.DI HTTP callback (trojan.rules)
> >  2808600 - ETPRO TROJAN Backdoor.Perl.Shellbot.B IRC Checkin
> (trojan.rules)
> >  2808601 - ETPRO TROJAN Win32/Qhost.PGZ Checkin (trojan.rules)
> >  2808602 - ETPRO MOBILE_MALWARE Android/Crosate.N Checkin
> > (mobile_malware.rules)
> >  2808603 - ETPRO TROJAN Worm.Win32.SillyFDC Checkin (trojan.rules)
> >  2808604 - ETPRO TROJAN W32.Virut IRC checkin (trojan.rules)
> >  2808605 - ETPRO TROJAN Rogue.Win32/Defru Checkin (trojan.rules)
> >  2808606 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin
> > (mobile_malware.rules)
> >  2808607 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin 2
> > (mobile_malware.rules)
> >  2808608 - ETPRO MOBILE_MALWARE Android.Riskware.SMSPay.AO Checkin 3
> > (mobile_malware.rules)
> >  2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
> > (mobile_malware.rules)
> >  2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5
> > (mobile_malware.rules)
> >  2808611 - ETPRO TROJAN Win32/Spy.Usteal.C Checkin (trojan.rules)
> >
> >
> > [///]     Modified active rules:     [///]
> >
> >  2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
> > (web_server.rules)
> >  2008411 - ET TROJAN LDPinch SMTP Password Report with mail client
> > The Bat! (trojan.rules)
> >  2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in  (trojan.rules)
> >  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
> >  2010953 - ET SCAN Skipfish Web Application Scan Detected (scan.rules)
> >  2011894 - ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin (trojan.rules)
> >  2016913 - ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin
> > (sending user info) (trojan.rules)
> >  2802121 - ETPRO WORM Worm.Win32.Cospet.A Checkin (worm.rules)
> >  2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)
> >  2803129 - ETPRO TROJAN Palevo CnC Response (trojan.rules)
> >  2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption
> > Negative Content Length (scada.rules)
> >  2805870 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Placms.F Checkin
> > (mobile_malware.rules)
> >  2807674 - ETPRO POLICY Primecoin (policy.rules)
> >
> >
> > [///]    Modified inactive rules:    [///]
> >
> >  2018537 - ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID
> > Overflow CVE-2014-3466 (web_client.rules)
> >
> >
> > [---]  Disabled and modified rules:  [---]
> >
> >  2016763 - ET SCAN Non-Malicious SSH/SSL Scanner on the run (scan.rules)
> >  2802971 - ETPRO TROJAN Killproc.5707/Generic Checkin Request 1
> (trojan.rules)
> >  2803088 - ETPRO DNS Bracket in DNS Query - Possible Covert Channel
> (dns.rules)
> >
> >
> > [---]         Disabled rules:        [---]
> >
> >  2014893 - ET SCAN critical.io Scan (scan.rules)
> > _______________________________________________
> > Emerging-updates mailing list
> > Emerging-updates at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>
> _______________________________________________
> Emerging-updates mailing list
> Emerging-updates at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20140821/a43b0584/attachment-0001.html>


More information about the Emerging-updates mailing list