[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Wed Apr 9 17:00:11 EDT 2008


[***] Results from Oinkmaster started Wed Apr  9 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008113 - ET POLICY Tor Get Server Request (bleeding-policy.rules)
 2008115 - ET POLICY Tor Get Status Request (bleeding-policy.rules)
 2008116 - ET POLICY Outbound TFTP Write Request (bleeding-policy.rules)
 2008117 - ET POLICY Outbound TFTP Data Transfer (bleeding-policy.rules)
 2008118 - ET POLICY Outbound TFTP ACK (bleeding-policy.rules)
 2008119 - ET POLICY Outbound TFTP Error Message (bleeding-policy.rules)
 2008120 - ET POLICY Outbound TFTP Read Request (bleeding-policy.rules)
 2008121 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) (bleeding.rules)
 2008122 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) (bleeding.rules)
 2008123 - ET TROJAN Likely Bot Username in IRC (XP-..) (bleeding-virus.rules)
 2008124 - ET TROJAN Likely Bot Nick in IRC (USA +..) (bleeding-virus.rules)
 2008125 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets) (bleeding.rules)


[///]     Modified active rules:     [///]

 2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
 2002951 - ET POLICY TOR 1.0 Status Update (bleeding-policy.rules)
 2002952 - ET POLICY TOR 1.0 Inbound Circuit Traffic (bleeding-policy.rules)
 2002953 - ET POLICY TOR 1.0 Outbound Circuit Traffic (bleeding-policy.rules)
 2008112 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe) (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (2):
        #by Nathaniel Richmond
        #by Nathaniel Richmond

     -> Added to bleeding-sid-msg.map (13):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)

     -> Added to bleeding-sid-msg.map.txt (13):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)

     -> Added to bleeding-virus.rules (1):
        #by Greg Bowser

     -> Added to bleeding.rules (3):
        #data from Joe Stewart at Secureworks. Sigs by matt jonkman
        # bobax has some unusual fake header characteristics in it's spam.
        # This ought to help ID inbound spam and thus infected hosts.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodex8.exe)
        2404021 || ET DROP Known Bot C&C Server Traffic (group 22)  || url,www.shadowserver.org
        2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Removed from bleeding-sid-msg.map.txt (3):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodex8.exe)
        2404021 || ET DROP Known Bot C&C Server Traffic (group 22)  || url,www.shadowserver.org
        2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE || url,www.shadowserver.org





More information about the Snort-sigs mailing list