[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Thu Apr 3 17:00:11 EDT 2008


[***] Results from Oinkmaster started Thu Apr  3 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008086 - ET TROJAN Daemonize.ft HTTP Checkin (bleeding-virus.rules)
 2008087 - ET TROJAN Downloader.VB.CEJ HTTP Checkin (bleeding-virus.rules)
 2008088 - ET TROJAN Lolabel Related User-Agent (ProxyDown) (bleeding-virus.rules)
 2008089 - ET TROJAN LDPinch Checkin (7) (bleeding-virus.rules)
 2008090 - ET TROJAN Delf Checkin via HTTP (7) (bleeding-virus.rules)
 2008091 - ET TROJAN LDPinch Checkin (8) (bleeding-virus.rules)
 2008092 - ET SCAN Internal to Internal UPnP Request tcp port 2555 (bleeding-scan.rules)
 2008093 - ET SCAN External to Internal UPnP Request tcp port 2555 (bleeding-scan.rules)
 2008094 - ET SCAN External to Internal UPnP Request udp port 1900 (bleeding-scan.rules)
 2008095 - ET TROJAN LDPinch Checkin (9) (bleeding-virus.rules)
 2008096 - ET MALWARE Suspicious User-Agent (INSTALLER) (bleeding-malware.rules)
 2008097 - ET MALWARE Suspicious User-Agent (IEMGR) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2007854 - ET MALWARE Suspicious User Agent - Possible Spyware Related (Mozilla) (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #re 3770f50ed1ead924f42f787b462cdb2b, no name yet

     -> Added to bleeding-scan.rules (4):
        #by matt jonkman
        #intended to catch internal hosts doing upnp requests that maybe shouldn't be
        #and external hosts making internal requests.
        #have seen some malware samples looking for upnp hosts

     -> Added to bleeding-sid-msg.map (21):
        2007854 || ET MALWARE Suspicious User Agent - Possible Spyware Related (Mozilla)
        2008086 || ET TROJAN Daemonize.ft HTTP Checkin
        2008087 || ET TROJAN Downloader.VB.CEJ HTTP Checkin
        2008088 || ET TROJAN Lolabel Related User-Agent (ProxyDown)
        2008089 || ET TROJAN LDPinch Checkin (7)
        2008090 || ET TROJAN Delf Checkin via HTTP (7)
        2008091 || ET TROJAN LDPinch Checkin (8)
        2008092 || ET SCAN Internal to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html
        2008093 || ET SCAN External to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html
        2008094 || ET SCAN External to Internal UPnP Request udp port 1900 || url,www.upnp-hacks.org/upnp.html
        2008095 || ET TROJAN LDPinch Checkin (9)
        2008096 || ET MALWARE Suspicious User-Agent (INSTALLER)
        2008097 || ET MALWARE Suspicious User-Agent (IEMGR)
        2400001 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to bleeding-sid-msg.map.txt (21):
        2007854 || ET MALWARE Suspicious User Agent - Possible Spyware Related (Mozilla)
        2008086 || ET TROJAN Daemonize.ft HTTP Checkin
        2008087 || ET TROJAN Downloader.VB.CEJ HTTP Checkin
        2008088 || ET TROJAN Lolabel Related User-Agent (ProxyDown)
        2008089 || ET TROJAN LDPinch Checkin (7)
        2008090 || ET TROJAN Delf Checkin via HTTP (7)
        2008091 || ET TROJAN LDPinch Checkin (8)
        2008092 || ET SCAN Internal to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html
        2008093 || ET SCAN External to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html
        2008094 || ET SCAN External to Internal UPnP Request udp port 1900 || url,www.upnp-hacks.org/upnp.html
        2008095 || ET TROJAN LDPinch Checkin (9)
        2008096 || ET MALWARE Suspicious User-Agent (INSTALLER)
        2008097 || ET MALWARE Suspicious User-Agent (IEMGR)
        2400001 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or other Spyware Related (Mozilla)

     -> Removed from bleeding-sid-msg.map.txt (1):
        2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or other Spyware Related (Mozilla)





More information about the Snort-sigs mailing list