[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Tue Jan 8 17:00:07 EST 2008


[***] Results from Oinkmaster started Tue Jan  8 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007743 - BLEEDING-EDGE TROJAN Dialer.qn HTTP Request - Checkin (bleeding-virus.rules)
 2007744 - BLEEDING-EDGE MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin (bleeding-malware.rules)
 2406008 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
 2407008 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)


[///]     Modified active rules:     [///]

 2406004 - BLEEDING-EDGE RBN Known Russian Business Network Traffic - Central American Nets (bleeding-rbn.rules)
 2406005 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
 2406006 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
 2406007 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
 2407004 - BLEEDING-EDGE RBN Known Russian Business Network Traffic - Central American Nets (bleeding-rbn-BLOCK.rules)
 2407005 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
 2407006 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
 2407007 - BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)


[---]         Removed rules:         [---]

 2006416 - BLEEDING-EDGE TROJAN Win32.Pakes User-Agent Detected (Pneumatix_1.0) (bleeding-virus.rules)
 2007662 - BLEEDING-EDGE TROJAN Win32.Pakes Post Parameters Dected (X-BI, X-TM) (bleeding-virus.rules)
 2007706 - BLEEDING-EDGE TROJAN Srizbi registering with controller (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (1):
        # $Id: bleeding-attack_response.rules $

     -> Added to bleeding-dos.rules (1):
        # $Id: bleeding-dos.rules $

     -> Added to bleeding-exploit.rules (1):
        # $Id: bleeding-exploit.rules $

     -> Added to bleeding-game.rules (1):
        # $Id: bleeding-game.rules $

     -> Added to bleeding-inappropriate.rules (1):
        # $Id: bleeding-inappropriate.rules $

     -> Added to bleeding-malware.rules (2):
        # $Id: bleeding-malware.rules $
        #by Matt jonkman, guard-center.com crapware (if you're gonna pretend to scan a disk, you ought to at least access the disk a little)

     -> Added to bleeding-p2p.rules (1):
        # $Id: bleeding-p2p.rules $

     -> Added to bleeding-policy.rules (1):
        # $Id: bleeding-policy.rules $

     -> Added to bleeding-rbn-BLOCK.rules (2):
        #  VERSION 24
        #  Updated 2008-01-08 12:32:31

     -> Added to bleeding-rbn.rules (2):
        #  VERSION 24
        #  Updated 2008-01-08 12:32:31

     -> Added to bleeding-scan.rules (1):
        # $Id: bleeding-scan.rules $

     -> Added to bleeding-sid-msg.map (20):
        2007743 || BLEEDING-EDGE TROJAN Dialer.qn HTTP Request - Checkin
        2007744 || BLEEDING-EDGE MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin
        2400001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2406004 || BLEEDING-EDGE RBN Known Russian Business Network Traffic - Central American Nets || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406005 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (1) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406006 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (2) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406007 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (3) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406008 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (4) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407004 || BLEEDING-EDGE RBN Known Russian Business Network Traffic - Central American Nets || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407005 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (1) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407006 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (2) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407007 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (3) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407008 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (4) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork

     -> Added to bleeding-virus.rules (2):
        # $Id: bleeding-virus.rules $
        #matt jonkman from sandnet data

     -> Added to bleeding-voip.rules (1):
        # $Id: bleeding-voip.rules $

     -> Added to bleeding-web.rules (1):
        # $Id: bleeding-web.rules $

     -> Added to bleeding-web_sql_injection.rules (1):
        # $Id: bleeding-web_sql_injection.rules $

     -> Added to bleeding.rules (1):
        # $Id: bleeding.rules $

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-rbn-BLOCK.rules (2):
        #  VERSION 22
        #  Updated 2008-01-04 08:27:11

     -> Removed from bleeding-rbn.rules (2):
        #  VERSION 22
        #  Updated 2008-01-04 08:27:11

     -> Removed from bleeding-sid-msg.map (11):
        2006416 || BLEEDING-EDGE TROJAN Win32.Pakes User-Agent Detected (Pneumatix_1.0) || url,www.viruslist.com/en/viruses/encyclopedia?virusid=68830
        2007662 || BLEEDING-EDGE TROJAN Win32.Pakes Post Parameters Dected (X-BI, X-TM)
        2007706 || BLEEDING-EDGE TROJAN Srizbi registering with controller || url,www.secureworks.com/research/threats/ronpaul
        2406004 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (1) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406005 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (2) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406006 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (3) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2406007 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains (4) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407004 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (1) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407005 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (2) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407006 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (3) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407007 || BLEEDING-EDGE RBN Known Russian Business Network Monitored Domains - BLOCKING (4) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork

     -> Removed from bleeding-virus.rules (3):
        #by axnjxn
        #from sandnet analysis, by matt jonkman
        #by Joe Stewart from SecureWorks





More information about the Snort-sigs mailing list