[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Mar 1 19:00:08 EST 2008


[***] Results from Oinkmaster started Sat Mar  1 19:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2007873 - ET WEB WinIPDS Directory Traversal Vulnerabilities POST (bleeding-web.rules)
 2007880 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-) (bleeding-virus.rules)
 2007881 - ET MALWARE Mycomclean.com Spyware User Agent (HTTP_GET_COMM) (bleeding-malware.rules)
 2007882 - ET MALWARE Mycomclean.com Spyware User Agent (SHINI) (bleeding-malware.rules)
 2007883 - ET MALWARE Virusheat.com Fake Anti-Spyware User Agent (VirusHeat 4.3) (bleeding-malware.rules)
 2007884 - ET MALWARE Suspicious User Agent (Example) (bleeding-malware.rules)
 2007885 - ET MALWARE Suspicious User Agent (downloader) (bleeding-malware.rules)
 2007886 - ET MALWARE Anti-virus-pro.com Fake AV Checkin (bleeding-malware.rules)
 2007887 - ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability (bleeding.rules)
 2007888 - ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability (bleeding.rules)
 2007889 - ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UNION SELECT (bleeding-web.rules)
 2007890 - ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list INSERT (bleeding-web.rules)
 2007891 - ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list DELETE (bleeding-web.rules)
 2007892 - ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UPDATE (bleeding-web.rules)
 2007893 - ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id SELECT (bleeding-web.rules)
 2007894 - ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UNION SELECT (bleeding-web.rules)
 2007895 - ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id INSERT (bleeding-web.rules)
 2007896 - ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id DELETE (bleeding-web.rules)
 2007897 - ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UPDATE (bleeding-web.rules)
 2007898 - ET TROJAN Sohanad Checkin via HTTP (bleeding-virus.rules)
 2007899 - ET MALWARE Suspicious User Agent (HTTP_CONNECT) (bleeding-malware.rules)
 2007900 - ET MALWARE Kpang.com Spyware User Agent (auctionplusup) (bleeding-malware.rules)
 2007901 - ET TROJAN Banker.OPX HTTP Checkin (bleeding-virus.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (bleeding-botcc.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2003392 - ET TROJAN Warezov/Stration Communicating with Controller (bleeding-virus.rules)
 2003436 - ET TROJAN Warezov/Stration Communicating with Controller 2 (bleeding-virus.rules)
 2007591 - ET TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress (bleeding-virus.rules)
 2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2007634 - ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5 (bleeding-virus.rules)
 2007635 - ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack (bleeding-virus.rules)
 2007637 - ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack (bleeding-virus.rules)


[---]         Removed rules:         [---]

  207873 - ET WEB WinIPDS Directory Traversal Vulnerabilities POST (bleeding-web.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1073
        #  Generated 2008-02-29 01:03:00 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1073
        #  Generated 2008-02-29 01:03:00 EDT

     -> Added to bleeding-malware.rules (2):
        #fake antispyware package, sig by matt jonkman
        #check.mycomclean.com, by matt jonkman

     -> Added to bleeding-sid-msg.map (25):
        2007873 || ET WEB WinIPDS Directory Traversal Vulnerabilities POST || bugtraq,27757 || url,aluigi.altervista.org/adv/winipds-adv.txt
        2007880 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-)
        2007881 || ET MALWARE Mycomclean.com Spyware User Agent (HTTP_GET_COMM)
        2007882 || ET MALWARE Mycomclean.com Spyware User Agent (SHINI)
        2007883 || ET MALWARE Virusheat.com Fake Anti-Spyware User Agent (VirusHeat 4.3)
        2007884 || ET MALWARE Suspicious User Agent (Example)
        2007885 || ET MALWARE Suspicious User Agent (downloader)
        2007886 || ET MALWARE Anti-virus-pro.com Fake AV Checkin
        2007887 || ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability || url,www.milw0rm.com/exploits/4974 || bugtraq,27424 || cve,CVE-2008-0470
        2007888 || ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5188 || bugtraq,27997
        2007889 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007898 || ET TROJAN Sohanad Checkin via HTTP
        2007899 || ET MALWARE Suspicious User Agent (HTTP_CONNECT)
        2007900 || ET MALWARE Kpang.com Spyware User Agent (auctionplusup)
        2007901 || ET TROJAN Banker.OPX HTTP Checkin
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-sid-msg.map.txt (25):
        2007873 || ET WEB WinIPDS Directory Traversal Vulnerabilities POST || bugtraq,27757 || url,aluigi.altervista.org/adv/winipds-adv.txt
        2007880 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-)
        2007881 || ET MALWARE Mycomclean.com Spyware User Agent (HTTP_GET_COMM)
        2007882 || ET MALWARE Mycomclean.com Spyware User Agent (SHINI)
        2007883 || ET MALWARE Virusheat.com Fake Anti-Spyware User Agent (VirusHeat 4.3)
        2007884 || ET MALWARE Suspicious User Agent (Example)
        2007885 || ET MALWARE Suspicious User Agent (downloader)
        2007886 || ET MALWARE Anti-virus-pro.com Fake AV Checkin
        2007887 || ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability || url,www.milw0rm.com/exploits/4974 || bugtraq,27424 || cve,CVE-2008-0470
        2007888 || ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5188 || bugtraq,27997
        2007889 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007890 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007891 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007892 || ET WEB Cacti SQL Injection Vulnerability -- graph_view graph_list UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007893 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007894 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UNION SELECT || bugtraq,27749 || cve,CVE-2008-0785
        2007895 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id INSERT || bugtraq,27749 || cve,CVE-2008-0785
        2007896 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id DELETE || bugtraq,27749 || cve,CVE-2008-0785
        2007897 || ET WEB Cacti SQL Injection Vulnerability -- tree.php leaf_id UPDATE || bugtraq,27749 || cve,CVE-2008-0785
        2007898 || ET TROJAN Sohanad Checkin via HTTP
        2007899 || ET MALWARE Suspicious User Agent (HTTP_CONNECT)
        2007900 || ET MALWARE Kpang.com Spyware User Agent (auctionplusup)
        2007901 || ET TROJAN Banker.OPX HTTP Checkin
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-virus.rules (2):
        #Banker.OPX, by Matt Jonkman
        #disabling by default. 2007701 and 2007702 are more reliable. These tend to hit on skype and game traffic

     -> Added to bleeding-web.rules (1):
        #by Akash Mahajan of stillsecure

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1066
        #  Generated 2008-02-22 01:03:00 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1066
        #  Generated 2008-02-22 01:03:00 EDT

     -> Removed from bleeding-sid-msg.map (1):
        207873 || ET WEB WinIPDS Directory Traversal Vulnerabilities POST || bugtraq,27757 || url,aluigi.altervista.org/adv/winipds-adv.txt

     -> Removed from bleeding-sid-msg.map.txt (1):
        207873 || ET WEB WinIPDS Directory Traversal Vulnerabilities POST || bugtraq,27757 || url,aluigi.altervista.org/adv/winipds-adv.txt





More information about the Snort-sigs mailing list