[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Apr 12 19:00:10 EDT 2008


[***] Results from Oinkmaster started Sat Apr 12 19:00:10 2008 [***]

[+++]          Added rules:          [+++]

 2008103 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound (bleeding.rules)
 2008104 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound (bleeding.rules)
 2008105 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound (bleeding.rules)
 2008106 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound (bleeding.rules)
 2008107 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound (bleeding.rules)
 2008108 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound (bleeding.rules)
 2008109 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound (bleeding.rules)
 2008110 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound (bleeding.rules)
 2008111 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe) (bleeding.rules)
 2008112 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe) (bleeding.rules)
 2008113 - ET POLICY Tor Get Server Request (bleeding-policy.rules)
 2008115 - ET POLICY Tor Get Status Request (bleeding-policy.rules)
 2008116 - ET POLICY Outbound TFTP Write Request (bleeding-policy.rules)
 2008117 - ET POLICY Outbound TFTP Data Transfer (bleeding-policy.rules)
 2008118 - ET POLICY Outbound TFTP ACK (bleeding-policy.rules)
 2008119 - ET POLICY Outbound TFTP Error Message (bleeding-policy.rules)
 2008120 - ET POLICY Outbound TFTP Read Request (bleeding-policy.rules)
 2008121 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) (bleeding.rules)
 2008122 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) (bleeding.rules)
 2008123 - ET TROJAN Likely Bot Username in IRC (XP-..) (bleeding-virus.rules)
 2008124 - ET TROJAN Likely Bot Nick in IRC (USA +..) (bleeding-virus.rules)
 2008125 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets) (bleeding.rules)
 2008126 - ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method (bleeding-web.rules)
 2008127 - ET WEB Data Dynamics  ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods (bleeding-web.rules)
 2008128 - ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit (bleeding-web.rules)
 2008129 - ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite (bleeding-web.rules)


[///]     Modified active rules:     [///]

 2001016 - ET MALWARE SideStep Bar Install (bleeding-malware.rules)
 2001017 - ET MALWARE SideStep Bar Reporting Data (bleeding-malware.rules)
 2002821 - ET MALWARE SideStep Bar Reporting Data (sbstart) (bleeding-malware.rules)
 2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
 2002951 - ET POLICY TOR 1.0 Status Update (bleeding-policy.rules)
 2002952 - ET POLICY TOR 1.0 Inbound Circuit Traffic (bleeding-policy.rules)
 2002953 - ET POLICY TOR 1.0 Outbound Circuit Traffic (bleeding-policy.rules)
 2008014 - ET CURRENT_EVENTS Suspicious Download (drv32.data) (bleeding.rules)
 2008100 - ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download (bleeding-virus.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (bleeding-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (bleeding-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (bleeding-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]  Disabled and modified rules:  [---]

 2008074 - ET TROJAN Banload User-Agent Detected (WebUpdate) (bleeding-virus.rules)


[---]         Removed rules:         [---]

 2001018 - ET MALWARE SideStep Bar Activity (bleeding-malware.rules)
 2001019 - ET MALWARE SideStep Bar Autoupdate (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1131
        #  Generated 2008-04-11 01:03:02 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1131
        #  Generated 2008-04-11 01:03:02 EDT

     -> Added to bleeding-policy.rules (2):
        #by Nathaniel Richmond
        #by Nathaniel Richmond

     -> Added to bleeding-sid-msg.map (26):
        2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)
        2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416
        2008127 || ET WEB Data Dynamics  ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959
        2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662
        2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html

     -> Added to bleeding-sid-msg.map.txt (26):
        2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
        2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no brackets)
        2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416
        2008127 || ET WEB Data Dynamics  ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959
        2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662
        2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html

     -> Added to bleeding-virus.rules (2):
        #Disabling, hits on a few legit apps
        #by Greg Bowser

     -> Added to bleeding-web.rules (4):
        #by Chandan at Stillsecure
        #by Chandan at Stillsecure
        #by chandan at stillsecure
        #by chandan at Stillsecure

     -> Added to bleeding.rules (5):
        #data from Joe Stewart at Secureworks. Sigs by matt jonkman
        # bobax has some unusual fake header characteristics in it's spam.
        # This ought to help ID inbound spam and thus infected hosts.
        #this really isn't Kraken, appears to really be bobax, but reported as kraken.
        #These sigs are a first attempt, hopefully this will improve

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1108
        #  Generated 2008-04-04 01:03:02 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1108
        #  Generated 2008-04-04 01:03:02 EDT

     -> Removed from bleeding-sid-msg.map (2):
        2001018 || ET MALWARE SideStep Bar Activity || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,www.sidestep.com
        2001019 || ET MALWARE SideStep Bar Autoupdate || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,www.sidestep.com

     -> Removed from bleeding-sid-msg.map.txt (2):
        2001018 || ET MALWARE SideStep Bar Activity || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,www.sidestep.com
        2001019 || ET MALWARE SideStep Bar Autoupdate || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,www.sidestep.com





More information about the Snort-sigs mailing list