[Emerging-updates] [Emerging-Sigs] Daily Ruleset Update Summary 2016/08/02

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Aug 3 18:56:17 EDT 2016


We will move this to a proper sid range.

Regards,

Will

On Wed, Aug 3, 2016 at 2:00 PM, Scott Rose <SRose at jackhenry.com> wrote:

> Not sure when this sig was released, but the SID is too large for
> SourceFire, could this be a mistake?
>
>
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT
> WEB-MISC JBoss RMI class download service directory listing attempt";
> flow:to_server,established; content:"GET %. HTTP/1."; reference:url,
> marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2;
> classtype:web-application-attack; sid:100000428; rev:3;)
>
>
>
> *Scott Rose* | Network Security Engineer | SFCP, Security+,  C|EH, GCIA |
> Cyber Security Services
>
> Jack Henry & Associates, Inc.® | 2135 E. Primrose St. | Springfield, MO
> 65809 | Ph. 417.235.6652
>
>
>
> *From:* emerging-sigs-bounces at lists.emergingthreats.net [mailto:
> emerging-sigs-bounces at lists.emergingthreats.net] *On Behalf Of *Francis
> Trudeau
> *Sent:* Tuesday, August 2, 2016 6:31 PM
> *To:* Emerging Sigs <emerging-sigs at emergingthreats.net>; Emerging-updates
> redirect <emerging-updates at emergingthreats.net>; ETPro-sigs List <
> etpro-sigs at emergingthreatspro.com>
> *Subject:* [Emerging-Sigs] Daily Ruleset Update Summary 2016/08/02
>
>
>
> *The e-mail below is from an external source.  Please do not open
> attachments or click links from an unknown or suspicious origin.*
>
>  [***] Summary: [***]
>
>
>
>  16 new Open sigs, 53 new Pro (16 + 37).  Cool.
>
>
>
>
>
>
>
>  [+++]          Added rules:          [+++]
>
>
>
>  Open:
>
>
>
>   2022999 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023000 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023001 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023002 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023003 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023004 - ET TROJAN ABUSE.CH Ransomware Domain Detected (trojan.rules)
>
>   2023005 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (ZeuS CnC) (trojan.rules)
>
>   2023006 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
> Certificate Detected (Gootkit C2) (trojan.rules)
>
>   2023007 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
> Certificate Detected (Gootkit C2) (trojan.rules)
>
>   2023008 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Gootkit CnC) (trojan.rules)
>
>   2023009 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Gozi MITM) (trojan.rules)
>
>   2023010 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Gootkit CnC) (trojan.rules)
>
>   2023011 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Downloader.Pony CnC) (trojan.rules)
>
>   2023012 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Gozi CnC) (trojan.rules)
>
>   2023013 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Quakbot CnC) (trojan.rules)
>
>   2023014 - ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016
> (web_client.rules)
>
>
>
>  Pro:
>
>
>
>   2821412 - ETPRO TROJAN PoisonIvy Keepalive to CnC 454 (trojan.rules)
>
>   2821413 - ETPRO TROJAN PoisonIvy Keepalive to CnC 455 (trojan.rules)
>
>   2821414 - ETPRO TROJAN PoisonIvy Keepalive to CnC 456 (trojan.rules)
>
>   2821415 - ETPRO TROJAN PoisonIvy Keepalive to CnC 457 (trojan.rules)
>
>   2821416 - ETPRO TROJAN PoisonIvy Keepalive to CnC 458 (trojan.rules)
>
>   2821417 - ETPRO TROJAN PoisonIvy Keepalive to CnC 459 (trojan.rules)
>
>   2821418 - ETPRO TROJAN PoisonIvy Keepalive to CnC 460 (trojan.rules)
>
>   2821419 - ETPRO TROJAN PoisonIvy Keepalive to CnC 461 (trojan.rules)
>
>   2821420 - ETPRO TROJAN PoisonIvy Keepalive to CnC 462 (trojan.rules)
>
>   2821421 - ETPRO TROJAN PoisonIvy Keepalive to CnC 463 (trojan.rules)
>
>   2821422 - ETPRO TROJAN Win32.Phorpiex.A EXE Download (trojan.rules)
>
>   2821423 - ETPRO MOBILE_MALWARE Android.Trojan.AndroRAT.P Checkin
> (mobile_malware.rules)
>
>   2821424 - ETPRO TROJAN Win32/Daserf CnC Beacon 1 (trojan.rules)
>
>   2821425 - ETPRO TROJAN Win32/Daserf CnC Beacon 2 (trojan.rules)
>
>   2821426 - ETPRO TROJAN Win32/Daserf CnC Beacon 3 (trojan.rules)
>
>   2821427 - ETPRO POLICY DNS Query to .onion proxy Domain (0npzm6.top)
> (policy.rules)
>
>   2821428 - ETPRO POLICY DNS Query to .onion proxy Domain (0vgu64.top)
> (policy.rules)
>
>   2821429 - ETPRO POLICY DNS Query to .onion proxy Domain (143h2a.top)
> (policy.rules)
>
>   2821430 - ETPRO POLICY DNS Query to .onion proxy Domain (1bipa9.top)
> (policy.rules)
>
>   2821431 - ETPRO POLICY DNS Query to .onion proxy Domain (1de02r.top)
> (policy.rules)
>
>   2821432 - ETPRO POLICY DNS Query to .onion proxy Domain (1o49wi.top)
> (policy.rules)
>
>   2821433 - ETPRO POLICY DNS Query to .onion proxy Domain (2agglf.top)
> (policy.rules)
>
>   2821434 - ETPRO POLICY DNS Query to .onion proxy Domain (308an1.top)
> (policy.rules)
>
>   2821435 - ETPRO POLICY DNS Query to .onion proxy Domain (36xxk1.top)
> (policy.rules)
>
>   2821436 - ETPRO POLICY DNS Query to .onion proxy Domain (3di24a.top)
> (policy.rules)
>
>   2821437 - ETPRO POLICY DNS Query to .onion proxy Domain (3odvfb.top)
> (policy.rules)
>
>   2821438 - ETPRO POLICY DNS Query to .onion proxy Domain (43wjor.top)
> (policy.rules)
>
>   2821439 - ETPRO POLICY DNS Query to .onion proxy Domain (4ynpjd.top)
> (policy.rules)
>
>   2821440 - ETPRO POLICY DNS Query to .onion proxy Domain (62er3d.top)
> (policy.rules)
>
>   2821441 - ETPRO POLICY DNS Query to .onion proxy Domain (67j6ht.top)
> (policy.rules)
>
>   2821442 - ETPRO POLICY DNS Query to .onion proxy Domain (6ntrb6.top)
> (policy.rules)
>
>   2821443 - ETPRO POLICY DNS Query to .onion proxy Domain (7u8b59.top)
> (policy.rules)
>
>   2821444 - ETPRO POLICY DNS Query to .onion proxy Domain (a4coac.top)
> (policy.rules)
>
>   2821445 - ETPRO POLICY DNS Query to .onion proxy Domain (ageshere.club)
> (policy.rules)
>
>   2821446 - ETPRO POLICY DNS Query to .onion proxy Domain (anypicked.red)
> (policy.rules)
>
>   2821447 - ETPRO TROJAN PoisonIvy Keepalive to CnC 464 (trojan.rules)
>
>   2821449 - ETPRO TROJAN Possible Vawtrack DGA SSL Certificate
> (trojan.rules)
>
>
>
>
>
>  [///]     Modified active rules:     [///]
>
>
>
>   2803418 - ETPRO TROJAN Suspicious user agent(MERONG) (trojan.rules)
>
>   2819987 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.q Checkin
> (mobile_malware.rules)
>
>   2820986 - ETPRO TROJAN Backdoor.Muirim CnC Beacon (trojan.rules)
>
>
>
>
>
>  [---]         Removed rules:         [---]
>
>
>
>   2821320 - ETPRO CURRENT_EVENTS ZeusSSL/Terdot.A/Zloader Malicious SSL
> Cert Observed (current_events.rules)
>
>
>
> NOTICE: This electronic mail message and any files transmitted with it are
> intended
> exclusively for the individual or entity to which it is addressed. The
> message,
> together with any attachment, may contain confidential and/or privileged
> information.
> Any unauthorized review, use, printing, saving, copying, disclosure or
> distribution
> is strictly prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete all copies.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20160803/ed9647db/attachment-0001.html>


More information about the Emerging-updates mailing list