[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Fri Mar 28 17:00:11 EDT 2008


[***] Results from Oinkmaster started Fri Mar 28 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008062 - ET WEB Univeral HTTP File Upload Remote File Deletetion (bleeding-web.rules)
 2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit (bleeding-exploit.rules)
 2008064 - ET POLICY Nginx Server with no version string - Often Hostile Traffic (bleeding-policy.rules)
 2008065 - ET POLICY Nginx Server with modified version string - Often Hostile Traffic (bleeding-policy.rules)
 2008066 - ET MALWARE Suspicious Blank User-Agent (descriptor but no string) (bleeding-malware.rules)


[---]  Disabled and modified rules:  [---]

 2008054 - ET POLICY Nginx Server in use - Often Hostile Traffic (bleeding-policy.rules)


[---]         Disabled rules:        [---]

 2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report (bleeding.rules)


[---]         Removed rules:         [---]

 2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
 2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) (bleeding.rules)
 2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) (bleeding.rules)
 2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # disabling by default, falses a lot but may be of interest to some folks

     -> Added to bleeding-sid-msg.map (5):
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)

     -> Added to bleeding-sid-msg.map.txt (5):
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)

     -> Added to bleeding-web.rules (1):
        #by akash mahajan of stillsecure

     -> Added to bleeding.rules (1):
        #disabling by default. Is used in some legit places as well. Use this if you have a need

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding-sid-msg.map.txt (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding.rules (2):
        # by matt jonkman, to be removed/reconsidered on feb 20 08
        #keeping this, still getting reports of hits





More information about the Snort-sigs mailing list