[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Jun 7 18:00:08 EDT 2008


[***] Results from Oinkmaster started Sat Jun  7 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008245 - ET TROJAN Juicopotomous to Controller (emerging-virus.rules)
 2008246 - ET TROJAN Juicopotomous ack from Controller (emerging-virus.rules)
 2008247 - ET TROJAN Juicopotomous ack to Controller (emerging-virus.rules)
 2008264 - ET MALWARE Suspicious User-Agent (opera) (emerging-malware.rules)
 2008265 - ET MALWARE Suspicious User-Agent (creativesmover loader vnr2.2) (emerging-malware.rules)
 2008266 - ET MALWARE Suspicious User-Agent (Zilla) (emerging-malware.rules)
 2008267 - ET TROJAN Banker.JU Related HTTP Post-infection Checkin (emerging-virus.rules)
 2008268 - ET TROJAN Delf Checkin via HTTP (8) (emerging-virus.rules)
 2008269 - ET TROJAN Emogen Infection Checkin Initial Packet (emerging-virus.rules)
 2008270 - ET TROJAN Emogen Infection Checkin CnC Keepalive (emerging-virus.rules)
 2008271 - ET TROJAN DMSpammer HTTP Post Checkin (1) (emerging-virus.rules)
 2008272 - ET TROJAN DMSpammer HTTP Post Checkin (2) (emerging-virus.rules)
 2008273 - ET TROJAN Bifrose Connect to Controller (emerging-virus.rules)
 2008274 - ET TROJAN Bifrose Response from Controller (emerging-virus.rules)
 2008275 - ET TROJAN Hitpop Checkin (emerging-virus.rules)
 2008276 - ET MALWARE Suspicious User-Agent (contains loader) (emerging-malware.rules)
 2008277 - ET TROJAN Pakes Winifixer.com Related Checkin URL (emerging-virus.rules)
 2008278 - ET MALWARE Generic Raider Obfuscated VBScript (emerging-virus.rules)
 2008279 - ET MALWARE ZenoSearch Spyware User-Agent (emerging-malware.rules)


[///]     Modified active rules:     [///]

 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules)
 2002854 - ET TROJAN Gozi/Orderjack Reporting User Activity (emerging-virus.rules)
 2003330 - ET POLICY Possible Spambot Host DNS MX Query High Count (emerging-policy.rules)
 2003897 - ET WEB Adobe RoboHelp XSS Attempt whstart.js (emerging-web.rules)
 2003898 - ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm (emerging-web.rules)
 2003899 - ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js (emerging-web.rules)
 2003900 - ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm (emerging-web.rules)
 2003901 - ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll (emerging-web.rules)
 2003903 - ET WEB Microsoft SharePoint XSS Attempt default.aspx (emerging-web.rules)
 2003904 - ET WEB Microsoft SharePoint XSS Attempt index.php form[mail] (emerging-web.rules)
 2004556 - ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern (emerging-web.rules)
 2004574 - ET WEB WikyBlog XSS Attempt sessionRegister.php (emerging-web.rules)
 2006415 - ET TROJAN QQHelper Related User-Agent Infection Checkin (emerging-virus.rules)
 2006443 - ET WEB Possible SQL Injection Attempt DELETE FROM (emerging-web.rules)
 2006444 - ET WEB Possible SQL Injection Attempt INSERT INTO (emerging-web.rules)
 2006445 - ET WEB Possible SQL Injection Attempt SELECT FROM (emerging-web.rules)
 2006446 - ET WEB Possible SQL Injection Attempt UNION SELECT (emerging-web.rules)
 2006447 - ET WEB Possible SQL Injection Attempt UPDATE SET (emerging-web.rules)
 2006546 - ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! (emerging-scan.rules)
 2007569 - ET TROJAN QQPass Related User-Agent Infection Checkin (App4) (emerging-virus.rules)
 2007584 - ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request) (emerging-exploit.rules)
 2007671 - ET POLICY Binary Download Smaller than 1 MB Likely Hostile (emerging-policy.rules)
 2007889 - ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT (emerging-web.rules)
 2007890 - ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT (emerging-web.rules)
 2007891 - ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE (emerging-web.rules)
 2007892 - ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE (emerging-web.rules)
 2007893 - ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT (emerging-web.rules)
 2007894 - ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT (emerging-web.rules)
 2007895 - ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT (emerging-web.rules)
 2007896 - ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE (emerging-web.rules)
 2007897 - ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE (emerging-web.rules)
 2007948 - ET MALWARE Suspicious User Agent (double dashes) (emerging-malware.rules)
 2008085 - ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar) (emerging-malware.rules)
 2008221 - ET TROJAN Asprox-style Message ID (emerging-virus.rules)
 2008222 - ET TROJAN Asprox phishing email detected (emerging-virus.rules)
 2008263 - ET TROJAN DNS Changer HTTP Post Checkin (emerging-virus.rules)


[///]    Modified inactive rules:    [///]

 2006408 - ET POLICY HTTP GET on unusual Port Possibly Hostile (emerging-policy.rules)
 2006409 - ET POLICY HTTP POST on unusual Port Possibly Hostile (emerging-policy.rules)


[---]         Removed rules:         [---]

 2007632 - ET TROJAN Possible Gozi Trojan Checkin (emerging-virus.rules)
 2008245 - ET TROJAN Unknown to Controller (emerging.rules)
 2008246 - ET TROJAN Unknown ack from Controller (emerging.rules)
 2008247 - ET TROJAN Unknown ack to Controller (emerging.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (52):
        2002854 || ET TROJAN Gozi/Orderjack Reporting User Activity || url,www.avira.com/en/threats/section/fulldetails/id_vir/1724/tr_dldr.orderjack.a.html || url,www.secureworks.com/research/threats/gozi
        2003330 || ET POLICY Possible Spambot Host DNS MX Query High Count
        2003897 || ET WEB Adobe RoboHelp XSS Attempt whstart.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003898 || ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003899 || ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003900 || ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003901 || ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003903 || ET WEB Microsoft SharePoint XSS Attempt default.aspx || url,www.securityfocus.com/bid/23832 || cve,CVE-2007-2581
        2003904 || ET WEB Microsoft SharePoint XSS Attempt index.php form[mail] || url,www.securityfocus.com/bid/23834 || cve,CVE-2007-2579
        2004556 || ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern || url,www.secunia.com/advisories/25377 || cve,CVE-2007-2832
        2004574 || ET WEB WikyBlog XSS Attempt sessionRegister.php || url,www.secunia.com/advisories/25308 || cve,CVE-2007-2781
        2006408 || ET POLICY HTTP GET on unusual Port Possibly Hostile
        2006409 || ET POLICY HTTP POST on unusual Port Possibly Hostile
        2006415 || ET TROJAN QQHelper Related User-Agent Infection Checkin
        2006443 || ET WEB Possible SQL Injection Attempt DELETE FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006444 || ET WEB Possible SQL Injection Attempt INSERT INTO || url,en.wikipedia.org/wiki/SQL_injection
        2006445 || ET WEB Possible SQL Injection Attempt SELECT FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006446 || ET WEB Possible SQL Injection Attempt UNION SELECT || url,en.wikipedia.org/wiki/SQL_injection
        2006447 || ET WEB Possible SQL Injection Attempt UPDATE SET || url,en.wikipedia.org/wiki/SQL_injection
        2006546 || ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack!
        2007569 || ET TROJAN QQPass Related User-Agent Infection Checkin (App4)
        2007584 || ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request) || url,isc.sans.org/diary.html?storyid=3310
        2007671 || ET POLICY Binary Download Smaller than 1 MB Likely Hostile
        2007889 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007948 || ET MALWARE Suspicious User Agent (double dashes)
        2008245 || ET TROJAN Juicopotomous to Controller
        2008246 || ET TROJAN Juicopotomous ack from Controller
        2008247 || ET TROJAN Juicopotomous ack to Controller
        2008264 || ET MALWARE Suspicious User-Agent (opera)
        2008265 || ET MALWARE Suspicious User-Agent (creativesmover loader vnr2.2)
        2008266 || ET MALWARE Suspicious User-Agent (Zilla)
        2008267 || ET TROJAN Banker.JU Related HTTP Post-infection Checkin
        2008268 || ET TROJAN Delf Checkin via HTTP (8)
        2008269 || ET TROJAN Emogen Infection Checkin Initial Packet
        2008270 || ET TROJAN Emogen Infection Checkin CnC Keepalive
        2008271 || ET TROJAN DMSpammer HTTP Post Checkin (1)
        2008272 || ET TROJAN DMSpammer HTTP Post Checkin (2)
        2008273 || ET TROJAN Bifrose Connect to Controller
        2008274 || ET TROJAN Bifrose Response from Controller
        2008275 || ET TROJAN Hitpop Checkin || url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf
        2008276 || ET MALWARE Suspicious User-Agent (contains loader)
        2008277 || ET TROJAN Pakes Winifixer.com Related Checkin URL
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008279 || ET MALWARE ZenoSearch Spyware User-Agent

     -> Added to emerging-sid-msg.map.txt (52):
        2002854 || ET TROJAN Gozi/Orderjack Reporting User Activity || url,www.avira.com/en/threats/section/fulldetails/id_vir/1724/tr_dldr.orderjack.a.html || url,www.secureworks.com/research/threats/gozi
        2003330 || ET POLICY Possible Spambot Host DNS MX Query High Count
        2003897 || ET WEB Adobe RoboHelp XSS Attempt whstart.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003898 || ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003899 || ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003900 || ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003901 || ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003903 || ET WEB Microsoft SharePoint XSS Attempt default.aspx || url,www.securityfocus.com/bid/23832 || cve,CVE-2007-2581
        2003904 || ET WEB Microsoft SharePoint XSS Attempt index.php form[mail] || url,www.securityfocus.com/bid/23834 || cve,CVE-2007-2579
        2004556 || ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern || url,www.secunia.com/advisories/25377 || cve,CVE-2007-2832
        2004574 || ET WEB WikyBlog XSS Attempt sessionRegister.php || url,www.secunia.com/advisories/25308 || cve,CVE-2007-2781
        2006408 || ET POLICY HTTP GET on unusual Port Possibly Hostile
        2006409 || ET POLICY HTTP POST on unusual Port Possibly Hostile
        2006415 || ET TROJAN QQHelper Related User-Agent Infection Checkin
        2006443 || ET WEB Possible SQL Injection Attempt DELETE FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006444 || ET WEB Possible SQL Injection Attempt INSERT INTO || url,en.wikipedia.org/wiki/SQL_injection
        2006445 || ET WEB Possible SQL Injection Attempt SELECT FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006446 || ET WEB Possible SQL Injection Attempt UNION SELECT || url,en.wikipedia.org/wiki/SQL_injection
        2006447 || ET WEB Possible SQL Injection Attempt UPDATE SET || url,en.wikipedia.org/wiki/SQL_injection
        2006546 || ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack!
        2007569 || ET TROJAN QQPass Related User-Agent Infection Checkin (App4)
        2007584 || ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request) || url,isc.sans.org/diary.html?storyid=3310
        2007671 || ET POLICY Binary Download Smaller than 1 MB Likely Hostile
        2007889 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007948 || ET MALWARE Suspicious User Agent (double dashes)
        2008245 || ET TROJAN Juicopotomous to Controller
        2008246 || ET TROJAN Juicopotomous ack from Controller
        2008247 || ET TROJAN Juicopotomous ack to Controller
        2008264 || ET MALWARE Suspicious User-Agent (opera)
        2008265 || ET MALWARE Suspicious User-Agent (creativesmover loader vnr2.2)
        2008266 || ET MALWARE Suspicious User-Agent (Zilla)
        2008267 || ET TROJAN Banker.JU Related HTTP Post-infection Checkin
        2008268 || ET TROJAN Delf Checkin via HTTP (8)
        2008269 || ET TROJAN Emogen Infection Checkin Initial Packet
        2008270 || ET TROJAN Emogen Infection Checkin CnC Keepalive
        2008271 || ET TROJAN DMSpammer HTTP Post Checkin (1)
        2008272 || ET TROJAN DMSpammer HTTP Post Checkin (2)
        2008273 || ET TROJAN Bifrose Connect to Controller
        2008274 || ET TROJAN Bifrose Response from Controller
        2008275 || ET TROJAN Hitpop Checkin || url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf
        2008276 || ET MALWARE Suspicious User-Agent (contains loader)
        2008277 || ET TROJAN Pakes Winifixer.com Related Checkin URL
        2008278 || ET MALWARE Generic Raider Obfuscated VBScript || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1
        2008279 || ET MALWARE ZenoSearch Spyware User-Agent

     -> Added to emerging-virus.rules (7):
        #matt jonkman, banker.JU
        #by deapesh misra
        #another one. Fortinet calls it emogen, others call it a dropper
        #new CNC channel, sample has no AV detection, collected 5/14
        #sigs by Jeffrey Brown
        # Register the first comm w/ 7c, 1 byte packet
        #by Don Jackson of Secureworks

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (37):
        2002854 || ET TROJAN Orderjack Reporting User Activity || url,www.avira.com/en/threats/section/fulldetails/id_vir/1724/tr_dldr.orderjack.a.html
        2003330 || ET POLICY Possible Spambot -- Host DNS MX Query High Count
        2003897 || ET WEB Adobe RoboHelp XSS Attempt -- whstart.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003898 || ET WEB Adobe RoboHelp XSS Attempt -- whcsh_home.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003899 || ET WEB Adobe RoboHelp XSS Attempt -- wf_startpage.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003900 || ET WEB Adobe RoboHelp XSS Attempt -- wf_startqs.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003901 || ET WEB Adobe RoboHelp XSS Attempt -- WindowManager.dll || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003903 || ET WEB Microsoft SharePoint XSS Attempt -- default.aspx || url,www.securityfocus.com/bid/23832 || cve,CVE-2007-2581
        2003904 || ET WEB Microsoft SharePoint XSS Attempt -- index.php form[mail] || url,www.securityfocus.com/bid/23834 || cve,CVE-2007-2579
        2004556 || ET WEB Cisco CallManager XSS Attempt -- serverlist.asp pattern || url,www.secunia.com/advisories/25377 || cve,CVE-2007-2832
        2004574 || ET WEB WikyBlog XSS Attempt -- sessionRegister.php || url,www.secunia.com/advisories/25308 || cve,CVE-2007-2781
        2006408 || ET POLICY HTTP GET on unusual Port -- Possibly Hostile
        2006409 || ET POLICY HTTP POST on unusual Port -- Possibly Hostile
        2006415 || ET TROJAN QQHelper Related User-Agent -- Infection Checkin
        2006443 || ET WEB Possible SQL Injection Attempt -- DELETE FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006444 || ET WEB Possible SQL Injection Attempt -- INSERT INTO || url,en.wikipedia.org/wiki/SQL_injection
        2006445 || ET WEB Possible SQL Injection Attempt -- SELECT FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006446 || ET WEB Possible SQL Injection Attempt -- UNION SELECT || url,en.wikipedia.org/wiki/SQL_injection
        2006447 || ET WEB Possible SQL Injection Attempt -- UPDATE SET || url,en.wikipedia.org/wiki/SQL_injection
        2006546 || ET SCAN LibSSH Based Frequent SSH Connections -- Likely BruteForce Attack!
        2007569 || ET TROJAN QQPass Related User-Agent -- Infection Checkin (App4)
        2007584 || ET EXPLOIT TrendMicro ServerProtect Exploit -- possible worma(little-endian DCERPC Request) || url,isc.sans.org/diary.html?storyid=3310
        2007632 || ET TROJAN Possible Gozi Trojan Checkin || url,www.secureworks.com/research/threats/gozi
        2007671 || ET POLICY Binary Download Smaller than 1 MB -- Likely Hostile
        2007889 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007948 || ET MALWARE Suspicious User Agent (--)
        2008245 || ET TROJAN Unknown to Controller
        2008246 || ET TROJAN Unknown ack from Controller
        2008247 || ET TROJAN Unknown ack to Controller

     -> Removed from emerging-sid-msg.map.txt (37):
        2002854 || ET TROJAN Orderjack Reporting User Activity || url,www.avira.com/en/threats/section/fulldetails/id_vir/1724/tr_dldr.orderjack.a.html
        2003330 || ET POLICY Possible Spambot -- Host DNS MX Query High Count
        2003897 || ET WEB Adobe RoboHelp XSS Attempt -- whstart.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003898 || ET WEB Adobe RoboHelp XSS Attempt -- whcsh_home.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003899 || ET WEB Adobe RoboHelp XSS Attempt -- wf_startpage.js || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003900 || ET WEB Adobe RoboHelp XSS Attempt -- wf_startqs.htm || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003901 || ET WEB Adobe RoboHelp XSS Attempt -- WindowManager.dll || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || cve,CVE-2007-1280
        2003903 || ET WEB Microsoft SharePoint XSS Attempt -- default.aspx || url,www.securityfocus.com/bid/23832 || cve,CVE-2007-2581
        2003904 || ET WEB Microsoft SharePoint XSS Attempt -- index.php form[mail] || url,www.securityfocus.com/bid/23834 || cve,CVE-2007-2579
        2004556 || ET WEB Cisco CallManager XSS Attempt -- serverlist.asp pattern || url,www.secunia.com/advisories/25377 || cve,CVE-2007-2832
        2004574 || ET WEB WikyBlog XSS Attempt -- sessionRegister.php || url,www.secunia.com/advisories/25308 || cve,CVE-2007-2781
        2006408 || ET POLICY HTTP GET on unusual Port -- Possibly Hostile
        2006409 || ET POLICY HTTP POST on unusual Port -- Possibly Hostile
        2006415 || ET TROJAN QQHelper Related User-Agent -- Infection Checkin
        2006443 || ET WEB Possible SQL Injection Attempt -- DELETE FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006444 || ET WEB Possible SQL Injection Attempt -- INSERT INTO || url,en.wikipedia.org/wiki/SQL_injection
        2006445 || ET WEB Possible SQL Injection Attempt -- SELECT FROM || url,en.wikipedia.org/wiki/SQL_injection
        2006446 || ET WEB Possible SQL Injection Attempt -- UNION SELECT || url,en.wikipedia.org/wiki/SQL_injection
        2006447 || ET WEB Possible SQL Injection Attempt -- UPDATE SET || url,en.wikipedia.org/wiki/SQL_injection
        2006546 || ET SCAN LibSSH Based Frequent SSH Connections -- Likely BruteForce Attack!
        2007569 || ET TROJAN QQPass Related User-Agent -- Infection Checkin (App4)
        2007584 || ET EXPLOIT TrendMicro ServerProtect Exploit -- possible worma(little-endian DCERPC Request) || url,isc.sans.org/diary.html?storyid=3310
        2007632 || ET TROJAN Possible Gozi Trojan Checkin || url,www.secureworks.com/research/threats/gozi
        2007671 || ET POLICY Binary Download Smaller than 1 MB -- Likely Hostile
        2007889 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007948 || ET MALWARE Suspicious User Agent (--)
        2008245 || ET TROJAN Unknown to Controller
        2008246 || ET TROJAN Unknown ack from Controller
        2008247 || ET TROJAN Unknown ack to Controller

     -> Removed from emerging-virus.rules (1):
        #by Cees Elzinga

     -> Removed from emerging.rules (3):
        #new CNC channel, sample has no AV detection, collected 5/14
        #sigs by Jeffrey Brown
        # Register the first comm w/ 7c, 1 byte packet





More information about the Snort-sigs mailing list