[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Jun 21 18:00:08 EDT 2008


[***] Results from Oinkmaster started Sat Jun 21 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008283 - ET TROJAN Banload HTTP Checkin Detected (quem=) (emerging-virus.rules)
 2008284 - ET POLICY Inbound HTTP CONNECT Attempt on Off Port (emerging-policy.rules)
 2008285 - ET TROJAN RLPacked Binary - Likely Hostile (emerging-virus.rules)
 2008286 - ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server (emerging.rules)
 2008288 - ET CURRENT_EVENTS Storm Worm URL Request (video.exe) (emerging.rules)
 2008289 - ET POLICY Possible MSN Messenger File Transfer (emerging-policy.rules)


[///]     Modified active rules:     [///]

 2002029 - ET TROJAN BOT - channel topic scan/exploit command (emerging-virus.rules)
 2002030 - ET TROJAN BOT - potential scan/exploit command (emerging-virus.rules)
 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) (emerging.rules)
 2008235 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) (emerging.rules)


[---]         Removed rules:         [---]

 2000547 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000548 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000549 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000550 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2003264 - ET MALWARE HTTP Connect Request Inbound (Windows Source) (emerging-malware.rules)
 2003265 - ET MALWARE HTTP Connect Request Inbound (Linux Source) (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-policy.rules (1):
        #by Sp0oker

     -> Added to emerging-sid-msg.map (8):
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) || url,www.sudosecure.net/archives/119
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119
        2008283 || ET TROJAN Banload HTTP Checkin Detected (quem=)
        2008284 || ET POLICY Inbound HTTP CONNECT Attempt on Off Port
        2008285 || ET TROJAN RLPacked Binary - Likely Hostile || url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/ || url,rlpack.jezgra.net
        2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server
        2008288 || ET CURRENT_EVENTS Storm Worm URL Request (video.exe)
        2008289 || ET POLICY Possible MSN Messenger File Transfer || url,www.hypothetic.org/docs/msn/client/file_transfer.php

     -> Added to emerging-sid-msg.map.txt (8):
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) || url,www.sudosecure.net/archives/119
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119
        2008283 || ET TROJAN Banload HTTP Checkin Detected (quem=)
        2008284 || ET POLICY Inbound HTTP CONNECT Attempt on Off Port
        2008285 || ET TROJAN RLPacked Binary - Likely Hostile || url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/ || url,rlpack.jezgra.net
        2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server
        2008288 || ET CURRENT_EVENTS Storm Worm URL Request (video.exe)
        2008289 || ET POLICY Possible MSN Messenger File Transfer || url,www.hypothetic.org/docs/msn/client/file_transfer.php

     -> Added to emerging-virus.rules (1):
        #by Daniel Clemens

     -> Added to emerging.rules (2):
        #by Daniel Clemens
        #Jack Pepper

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-policy.rules (1):
        #Submitted by Brandon Barnes

     -> Removed from emerging-sid-msg.map (8):
        2000547 || ET HTTP CONNECT Tunnel
        2000548 || ET HTTP CONNECT Tunnel
        2000549 || ET HTTP CONNECT Tunnel
        2000550 || ET HTTP CONNECT Tunnel
        2003264 || ET MALWARE HTTP Connect Request Inbound (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003265 || ET MALWARE HTTP Connect Request Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || url,www.sudosecure.net/archives/61
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) || url,www.sudosecure.net/archives/61

     -> Removed from emerging-sid-msg.map.txt (8):
        2000547 || ET HTTP CONNECT Tunnel
        2000548 || ET HTTP CONNECT Tunnel
        2000549 || ET HTTP CONNECT Tunnel
        2000550 || ET HTTP CONNECT Tunnel
        2003264 || ET MALWARE HTTP Connect Request Inbound (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003265 || ET MALWARE HTTP Connect Request Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || url,www.sudosecure.net/archives/61
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) || url,www.sudosecure.net/archives/61

     -> Removed from emerging.rules (1):
        #by matt jonkman





More information about the Snort-sigs mailing list