[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Sun Feb 3 17:00:09 EST 2008


[***] Results from Oinkmaster started Sun Feb  3 17:00:09 2008 [***]

[///]     Modified active rules:     [///]

 2000419 - ET POLICY PE EXE or DLL Windows file download (bleeding-policy.rules)
 2000427 - ET POLICY PE EXE Install Windows file download (bleeding-policy.rules)
 2000559 - ET WEB THCIISLame IIS SSL Exploit Attempt (bleeding-web.rules)
 2000575 - ET SCAN ICMP PING IPTools (bleeding-scan.rules)
 2001066 - ET TROJAN IE Ilookup Trojan (bleeding-virus.rules)
 2001595 - ET POLICY Skype VOIP Checking Version (Startup) (bleeding-policy.rules)
 2001596 - ET POLICY Skype VOIP Reporting Install (bleeding-policy.rules)
 2001609 - ET SCAN F5 BIG-IP 3DNS TCP Probe 1 (bleeding-scan.rules)
 2001610 - ET SCAN F5 BIG-IP 3DNS TCP Probe 2 (bleeding-scan.rules)
 2001611 - ET SCAN F5 BIG-IP 3DNS TCP Probe 3 (bleeding-scan.rules)
 2001682 - ET POLICY MSN IM Poll via HTTP (bleeding-policy.rules)
 2001812 - ET P2P KazaaClient P2P Traffic (bleeding-p2p.rules)
 2002376 - ET WEB IBM Lotus Domino BaseTarget XSS attempt (bleeding-web.rules)
 2002377 - ET WEB IBM Lotus Domino Src XSS attempt (bleeding-web.rules)
 2002730 - ET WEB PHPGedView Remote Script Code Execution attempt (bleeding-web.rules)
 2002861 - ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects (bleeding-exploit.rules)
 2002971 - ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption (bleeding-exploit.rules)
 2002973 - ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor (bleeding-scan.rules)
 2003475 - ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) (bleeding-p2p.rules)
 2007639 - ET POLICY FOX,ABC On-demand UA (bleeding-policy.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2000418 - ET POLICY Executable and linking format (ELF) file download (bleeding-policy.rules)
 2000420 - ET POLICY REG files version 4 download (bleeding-policy.rules)
 2000421 - ET POLICY REG files version 5 download (bleeding-policy.rules)
 2000422 - ET POLICY REG files version 5 Unicode download (bleeding-policy.rules)
 2000423 - ET POLICY NE EXE OS2 file download (bleeding-policy.rules)
 2000424 - ET POLICY LX EXE OS2 file download (bleeding-policy.rules)
 2000425 - ET POLICY NE EXE Windows 3.x file download (bleeding-policy.rules)
 2000426 - ET POLICY EXE compressed PKWARE Windows file download (bleeding-policy.rules)
 2000428 - ET POLICY ZIP file download (bleeding-policy.rules)
 2000429 - ET POLICY Download Windows Help File CHM 2 (bleeding-policy.rules)
 2000489 - ET POLICY Download Windows Help File CHM (bleeding-policy.rules)
 2001114 - ET POLICY Mozilla XPI install files download (bleeding-policy.rules)
 2001115 - ET POLICY MSI (microsoft installer file) download (bleeding-policy.rules)
 2001449 - ET POLICY Proxy Connection detected (bleeding-policy.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-rbn-BLOCK.rules (2):
        #  VERSION 28
        #  Updated 2008-02-03 12:53:15

     -> Added to bleeding-rbn.rules (2):
        #  VERSION 28
        #  Updated 2008-02-03 12:53:15

     -> Added to bleeding-sid-msg.map (36):
        2000418 || ET POLICY Executable and linking format (ELF) file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000419 || ET POLICY PE EXE or DLL Windows file download
        2000420 || ET POLICY REG files version 4 download || url,www.ss64.com/nt/regedit.html
        2000421 || ET POLICY REG files version 5 download || url,www.ss64.com/nt/regedit.html
        2000422 || ET POLICY REG files version 5 Unicode download || url,www.ss64.com/nt/regedit.html
        2000423 || ET POLICY NE EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000424 || ET POLICY LX EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000425 || ET POLICY NE EXE Windows 3.x file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000426 || ET POLICY EXE compressed PKWARE Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000427 || ET POLICY PE EXE Install Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000428 || ET POLICY ZIP file download || url,zziplib.sourceforge.net/zzip-parse.print.html
        2000429 || ET POLICY Download Windows Help File CHM 2 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000489 || ET POLICY Download Windows Help File CHM || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000559 || ET WEB THCIISLame IIS SSL Exploit Attempt || url,isc.sans.org/diary.php?date=2004-07-17 || url,www.thc.org/exploits/THCIISSLame.c
        2000575 || ET SCAN ICMP PING IPTools || url,www.ks-soft.net/ip-tools.eng/index.htm || url,www.ks-soft.net/ip-tools.eng
        2001066 || ET TROJAN IE Ilookup Trojan || url,62.131.86.111/analysis.htm
        2001114 || ET POLICY Mozilla XPI install files download
        2001115 || ET POLICY MSI (microsoft installer file) download
        2001449 || ET POLICY Proxy Connection detected
        2001595 || ET POLICY Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001596 || ET POLICY Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001609 || ET SCAN F5 BIG-IP 3DNS TCP Probe 1 || url,www.f5.com/f5products/v9intro/index.html
        2001610 || ET SCAN F5 BIG-IP 3DNS TCP Probe 2 || url,www.f5.com/f5products/v9intro/index.html
        2001611 || ET SCAN F5 BIG-IP 3DNS TCP Probe 3 || url,www.f5.com/f5products/v9intro/index.html
        2001682 || ET POLICY MSN IM Poll via HTTP
        2001812 || ET P2P KazaaClient P2P Traffic || url,www.kazaa.com/us/index.htm
        2002376 || ET WEB IBM Lotus Domino BaseTarget XSS attempt || bugtraq,14845
        2002377 || ET WEB IBM Lotus Domino Src XSS attempt || bugtraq,14846
        2002730 || ET WEB PHPGedView Remote Script Code Execution attempt || bugtraq,15983
        2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186
        2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303
        2002973 || ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
        2003475 || ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) || url,pingpong-abc.sourceforge.net
        2007639 || ET POLICY FOX,ABC On-demand UA
        2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt
        2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt

     -> Added to bleeding-sid-msg.map.txt (36):
        2000418 || ET POLICY Executable and linking format (ELF) file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000419 || ET POLICY PE EXE or DLL Windows file download
        2000420 || ET POLICY REG files version 4 download || url,www.ss64.com/nt/regedit.html
        2000421 || ET POLICY REG files version 5 download || url,www.ss64.com/nt/regedit.html
        2000422 || ET POLICY REG files version 5 Unicode download || url,www.ss64.com/nt/regedit.html
        2000423 || ET POLICY NE EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000424 || ET POLICY LX EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000425 || ET POLICY NE EXE Windows 3.x file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000426 || ET POLICY EXE compressed PKWARE Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000427 || ET POLICY PE EXE Install Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000428 || ET POLICY ZIP file download || url,zziplib.sourceforge.net/zzip-parse.print.html
        2000429 || ET POLICY Download Windows Help File CHM 2 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000489 || ET POLICY Download Windows Help File CHM || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000559 || ET WEB THCIISLame IIS SSL Exploit Attempt || url,isc.sans.org/diary.php?date=2004-07-17 || url,www.thc.org/exploits/THCIISSLame.c
        2000575 || ET SCAN ICMP PING IPTools || url,www.ks-soft.net/ip-tools.eng/index.htm || url,www.ks-soft.net/ip-tools.eng
        2001066 || ET TROJAN IE Ilookup Trojan || url,62.131.86.111/analysis.htm
        2001114 || ET POLICY Mozilla XPI install files download
        2001115 || ET POLICY MSI (microsoft installer file) download
        2001449 || ET POLICY Proxy Connection detected
        2001595 || ET POLICY Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001596 || ET POLICY Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001609 || ET SCAN F5 BIG-IP 3DNS TCP Probe 1 || url,www.f5.com/f5products/v9intro/index.html
        2001610 || ET SCAN F5 BIG-IP 3DNS TCP Probe 2 || url,www.f5.com/f5products/v9intro/index.html
        2001611 || ET SCAN F5 BIG-IP 3DNS TCP Probe 3 || url,www.f5.com/f5products/v9intro/index.html
        2001682 || ET POLICY MSN IM Poll via HTTP
        2001812 || ET P2P KazaaClient P2P Traffic || url,www.kazaa.com/us/index.htm
        2002376 || ET WEB IBM Lotus Domino BaseTarget XSS attempt || bugtraq,14845
        2002377 || ET WEB IBM Lotus Domino Src XSS attempt || bugtraq,14846
        2002730 || ET WEB PHPGedView Remote Script Code Execution attempt || bugtraq,15983
        2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186
        2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303
        2002973 || ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
        2003475 || ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) || url,pingpong-abc.sourceforge.net
        2007639 || ET POLICY FOX,ABC On-demand UA
        2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt
        2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-rbn-BLOCK.rules (2):
        #  VERSION 27
        #  Updated 2008-02-01 14:13:15

     -> Removed from bleeding-rbn.rules (2):
        #  VERSION 27
        #  Updated 2008-02-01 14:13:15

     -> Removed from bleeding-sid-msg.map (34):
        2000418 || ET Executable and linking format (ELF) file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000419 || ET PE EXE or DLL Windows file download
        2000420 || ET REG files version 4 download || url,www.ss64.com/nt/regedit.html
        2000421 || ET REG files version 5 download || url,www.ss64.com/nt/regedit.html
        2000422 || ET REG files version 5 Unicode download || url,www.ss64.com/nt/regedit.html
        2000423 || ET NE EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000424 || ET LX EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000425 || ET NE EXE Windows 3.x file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000426 || ET EXE compressed PKWARE Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000427 || ET PE EXE Install Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000428 || ET ZIP file download || url,zziplib.sourceforge.net/zzip-parse.print.html
        2000429 || ET Download Windows Help File CHM 2 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000489 || ET Download Windows Help File CHM || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000559 || ET THCIISLame IIS SSL Exploit Attempt || url,isc.sans.org/diary.php?date=2004-07-17 || url,www.thc.org/exploits/THCIISSLame.c
        2000575 || ET ICMP PING IPTools || url,www.ks-soft.net/ip-tools.eng/index.htm || url,www.ks-soft.net/ip-tools.eng
        2001066 || ET IE Ilookup Trojan || url,62.131.86.111/analysis.htm
        2001114 || ET Policy Mozilla XPI install files download
        2001115 || ET MSI (microsoft installer file) download
        2001449 || ET Policy Proxy Connection detected
        2001595 || ET Policy Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001596 || ET Policy Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001609 || ET F5 BIG-IP 3DNS TCP Probe 1 || url,www.f5.com/f5products/v9intro/index.html
        2001610 || ET F5 BIG-IP 3DNS TCP Probe 2 || url,www.f5.com/f5products/v9intro/index.html
        2001611 || ET F5 BIG-IP 3DNS TCP Probe 3 || url,www.f5.com/f5products/v9intro/index.html
        2001682 || ET Policy MSN IM Poll via HTTP
        2001812 || ET KazaaClient P2P Traffic || url,www.kazaa.com/us/index.htm
        2002376 || ET IBM Lotus Domino BaseTarget XSS attempt || bugtraq,14845
        2002377 || ET IBM Lotus Domino Src XSS attempt || bugtraq,14846
        2002730 || ET PHPGedView Remote Script Code Execution attempt || bugtraq,15983
        2002861 || ET WEB CLIENT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186
        2002971 || ET WEB CLIENT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303
        2002973 || ET Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
        2003475 || ET ABC Torrent User-Agent (ABC/ABC-3.1.0) || url,pingpong-abc.sourceforge.net
        2007639 || ET Policy FOX,ABC On-demand UA

     -> Removed from bleeding-sid-msg.map.txt (34):
        2000418 || ET Executable and linking format (ELF) file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000419 || ET PE EXE or DLL Windows file download
        2000420 || ET REG files version 4 download || url,www.ss64.com/nt/regedit.html
        2000421 || ET REG files version 5 download || url,www.ss64.com/nt/regedit.html
        2000422 || ET REG files version 5 Unicode download || url,www.ss64.com/nt/regedit.html
        2000423 || ET NE EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000424 || ET LX EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000425 || ET NE EXE Windows 3.x file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
        2000426 || ET EXE compressed PKWARE Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000427 || ET PE EXE Install Windows file download || url,www.program-transformation.org/Transform/PcExeFormat
        2000428 || ET ZIP file download || url,zziplib.sourceforge.net/zzip-parse.print.html
        2000429 || ET Download Windows Help File CHM 2 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000489 || ET Download Windows Help File CHM || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html
        2000559 || ET THCIISLame IIS SSL Exploit Attempt || url,isc.sans.org/diary.php?date=2004-07-17 || url,www.thc.org/exploits/THCIISSLame.c
        2000575 || ET ICMP PING IPTools || url,www.ks-soft.net/ip-tools.eng/index.htm || url,www.ks-soft.net/ip-tools.eng
        2001066 || ET IE Ilookup Trojan || url,62.131.86.111/analysis.htm
        2001114 || ET Policy Mozilla XPI install files download
        2001115 || ET MSI (microsoft installer file) download
        2001449 || ET Policy Proxy Connection detected
        2001595 || ET Policy Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001596 || ET Policy Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001609 || ET F5 BIG-IP 3DNS TCP Probe 1 || url,www.f5.com/f5products/v9intro/index.html
        2001610 || ET F5 BIG-IP 3DNS TCP Probe 2 || url,www.f5.com/f5products/v9intro/index.html
        2001611 || ET F5 BIG-IP 3DNS TCP Probe 3 || url,www.f5.com/f5products/v9intro/index.html
        2001682 || ET Policy MSN IM Poll via HTTP
        2001812 || ET KazaaClient P2P Traffic || url,www.kazaa.com/us/index.htm
        2002376 || ET IBM Lotus Domino BaseTarget XSS attempt || bugtraq,14845
        2002377 || ET IBM Lotus Domino Src XSS attempt || bugtraq,14846
        2002730 || ET PHPGedView Remote Script Code Execution attempt || bugtraq,15983
        2002861 || ET WEB CLIENT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186
        2002971 || ET WEB CLIENT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303
        2002973 || ET Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
        2003475 || ET ABC Torrent User-Agent (ABC/ABC-3.1.0) || url,pingpong-abc.sourceforge.net
        2007639 || ET Policy FOX,ABC On-demand UA





More information about the Snort-sigs mailing list