[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Tue Apr 8 17:00:11 EDT 2008


[***] Results from Oinkmaster started Tue Apr  8 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008103 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound (bleeding.rules)
 2008104 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound (bleeding.rules)
 2008105 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound (bleeding.rules)
 2008106 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound (bleeding.rules)
 2008107 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound (bleeding.rules)
 2008108 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound (bleeding.rules)
 2008109 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound (bleeding.rules)
 2008110 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound (bleeding.rules)
 2008111 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe) (bleeding.rules)
 2008112 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodex8.exe) (bleeding.rules)


[///]     Modified active rules:     [///]

 2008014 - ET CURRENT_EVENTS Suspicious Download (drv32.data) (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (18):
        2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodex8.exe)
        2400001 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to bleeding-sid-msg.map.txt (18):
        2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodex8.exe)
        2400001 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to bleeding.rules (2):
        #this really isn't Kraken, appears to really be bobax, but reported as kraken.
        #These sigs are a first attempt, hopefully this will improve





More information about the Snort-sigs mailing list