[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Nov 15 18:00:08 EST 2008


[***] Results from Oinkmaster started Sat Nov 15 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008740 - ET TROJAN Ligats/DR.Ilomo Agent Post (emerging-virus.rules)
 2008741 - ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin (emerging.rules)
 2008742 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) (emerging-malware.rules)
 2008743 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) (emerging-malware.rules)
 2008744 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules)
 2008745 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules)
 2008746 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules)
 2008747 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules)
 2008748 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules)
 2008749 - ET MALWARE Suspicious User-Agent (checkonline) (emerging-malware.rules)
 2008750 - ET TROJAN Buzus FTP Log Upload (emerging-virus.rules)
 2008751 - ET TROJAN Alureon Checkin (Post) (emerging-virus.rules)
 2008752 - ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) (emerging-virus.rules)
 2008753 - ET TROJAN AdWare.Win32.Yokbar Checkin URL (emerging-virus.rules)
 2008754 - ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image (emerging-malware.rules)
 2008755 - ET TROJAN Autorun.qvi Related HTTP Get on Off Port (emerging-virus.rules)
 2008756 - ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) (emerging-malware.rules)
 2008757 - ET MALWARE Zenosearch Malware Checkin HTTP POST (emerging-malware.rules)
 2008758 - ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL (emerging-virus.rules)
 2008759 - ET MALWARE Matcash Trojan Related Spyware Code Download (emerging-malware.rules)
 2008760 - ET TROJAN Insidebar.co.kr Related Infection Checkin (emerging-virus.rules)
 2008765 - ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) (emerging-virus.rules)
 2008766 - ET TROJAN Generic Downloader Checkin Url Detected (emerging-virus.rules)
 2008767 - ET TROJAN Kangkio User-Agent (lsosss) (emerging-virus.rules)
 2008768 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin (emerging.rules)
 2008769 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response (emerging.rules)
 2008770 - ET CURRENT_EVENTS Unknown Trojan P2P Data Download (emerging.rules)
 2008771 - ET CURRENT_EVENTS Unknown Trojan P2P Download Request (emerging.rules)
 2008772 - ET CURRENT_EVENTS Unknown Trojan P2P Request (emerging.rules)
 2008773 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (emerging.rules)
 2008774 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules)
 2008775 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules)
 2008776 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 (emerging-exploit.rules)
 2008777 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 (emerging-exploit.rules)
 2008778 - ET TROJAN Ligats/DR.Ilomo Agent Post (2) (emerging-virus.rules)
 2008779 - ET CURRENT_EVENTS Unknown Keepalive up (emerging.rules)
 2008780 - ET CURRENT_EVENTS Unknown Keepalive down (emerging.rules)
 2008781 - ET POLICY Set flow on rar file get (emerging-policy.rules)
 2008782 - ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) (emerging-policy.rules)
 2008783 - ET POLICY Possible Trojan File Download - Rar Requested but not received (emerging-policy.rules)


[///]     Modified active rules:     [///]

 2000536 - ET SCAN NMAP -sO (emerging-scan.rules)
 2000537 - ET SCAN NMAP -sS (emerging-scan.rules)
 2000538 - ET SCAN NMAP -sA (1) (emerging-scan.rules)
 2000540 - ET SCAN NMAP -sA (2) (emerging-scan.rules)
 2000543 - ET SCAN NMAP -f -sF (emerging-scan.rules)
 2000544 - ET SCAN NMAP -f -sN (emerging-scan.rules)
 2000545 - ET SCAN NMAP -f -sS (emerging-scan.rules)
 2000546 - ET SCAN NMAP -f -sX (emerging-scan.rules)
 2003607 - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (emerging-malware.rules)
 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules)
 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules)
 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules)
 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules)
 2008737 - ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin (emerging.rules)
 2008739 - ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound (emerging.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2001950 - ET POLICY RAR File Outbound (emerging-policy.rules)
 2001951 - ET POLICY RAR File Inbound (emerging-policy.rules)
 2002968 - ET MALWARE Matcash.com Spyware Code Download (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1359
        #  Generated 2008-11-15 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1359
        #  Generated 2008-11-15 00:03:02 EDT

     -> Added to emerging-exploit.rules (2):
        #by Veerendra
        # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack.

     -> Added to emerging-malware.rules (1):
        #from vienna

     -> Added to emerging-policy.rules (2):
        #by Sandro Reis
        #by Jeremy at sudosecure

     -> Added to emerging-sid-msg.map (52):
        2000536 || ET SCAN NMAP -sO
        2000537 || ET SCAN NMAP -sS
        2000538 || ET SCAN NMAP -sA (1)
        2000540 || ET SCAN NMAP -sA (2)
        2000543 || ET SCAN NMAP -f -sF
        2000544 || ET SCAN NMAP -f -sN
        2000545 || ET SCAN NMAP -f -sS
        2000546 || ET SCAN NMAP -f -sX
        2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin
        2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound
        2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post
        2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin
        2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun)
        2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk)
        2008744 || ET POLICY Possible External FreeGate DNS Query
        2008745 || ET POLICY Possible External FreeGate DNS Query
        2008746 || ET POLICY Possible External FreeGate DNS Query
        2008747 || ET POLICY Possible External FreeGate DNS Query
        2008748 || ET POLICY Possible External FreeGate DNS Query
        2008749 || ET MALWARE Suspicious User-Agent (checkonline)
        2008750 || ET TROJAN Buzus FTP Log Upload
        2008751 || ET TROJAN Alureon Checkin (Post)
        2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)
        2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL
        2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image
        2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port
        2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0)
        2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST
        2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL
        2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download
        2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin
        2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)
        2008766 || ET TROJAN Generic Downloader Checkin Url Detected
        2008767 || ET TROJAN Kangkio User-Agent (lsosss)
        2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin
        2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response
        2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download
        2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request
        2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request
        2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738
        2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738
        2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2)
        2008779 || ET CURRENT_EVENTS Unknown Keepalive up
        2008780 || ET CURRENT_EVENTS Unknown Keepalive down
        2008781 || ET POLICY Set flow on rar file get
        2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162
        2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162
        2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (52):
        2000536 || ET SCAN NMAP -sO
        2000537 || ET SCAN NMAP -sS
        2000538 || ET SCAN NMAP -sA (1)
        2000540 || ET SCAN NMAP -sA (2)
        2000543 || ET SCAN NMAP -f -sF
        2000544 || ET SCAN NMAP -f -sN
        2000545 || ET SCAN NMAP -f -sS
        2000546 || ET SCAN NMAP -f -sX
        2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin
        2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound
        2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post
        2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin
        2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun)
        2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk)
        2008744 || ET POLICY Possible External FreeGate DNS Query
        2008745 || ET POLICY Possible External FreeGate DNS Query
        2008746 || ET POLICY Possible External FreeGate DNS Query
        2008747 || ET POLICY Possible External FreeGate DNS Query
        2008748 || ET POLICY Possible External FreeGate DNS Query
        2008749 || ET MALWARE Suspicious User-Agent (checkonline)
        2008750 || ET TROJAN Buzus FTP Log Upload
        2008751 || ET TROJAN Alureon Checkin (Post)
        2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)
        2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL
        2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image
        2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port
        2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0)
        2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST
        2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL
        2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download
        2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin
        2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)
        2008766 || ET TROJAN Generic Downloader Checkin Url Detected
        2008767 || ET TROJAN Kangkio User-Agent (lsosss)
        2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin
        2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response
        2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download
        2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request
        2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request
        2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/
        2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738
        2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738
        2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2)
        2008779 || ET CURRENT_EVENTS Unknown Keepalive up
        2008780 || ET CURRENT_EVENTS Unknown Keepalive down
        2008781 || ET POLICY Set flow on rar file get
        2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162
        2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162
        2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-virus.rules (1):
        #these are mcboo.com and bundlext.com related. David Yawsa registrant

     -> Added to emerging.rules (8):
        #by Veererendra
        # 10/11/2008 Activation Key Malware - Trojan horse
        #many sources
        #from Vienna with love
        #re 60fa2ff79411dd1cb829e8a966aa86fc
        #Unknown so far, no AV coverage, appears to be peer to peer
        #moves to 7090 in samples
        #moved to 5622 in samples

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1352
        #  Generated 2008-11-08 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1352
        #  Generated 2008-11-08 00:03:02 EDT

     -> Removed from emerging-policy.rules (1):
        #By Sam Pabon

     -> Removed from emerging-sid-msg.map (13):
        2000536 || ET SCAN NMAP -sO || arachnids,162
        2000537 || ET SCAN NMAP -sS || arachnids,162
        2000538 || ET SCAN NMAP -sA (1) || arachnids,162
        2000540 || ET SCAN NMAP -sA (2) || arachnids,162
        2000543 || ET SCAN NMAP -f -sF || arachnids,162
        2000544 || ET SCAN NMAP -f -sN || arachnids,162
        2000545 || ET SCAN NMAP -f -sS || arachnids,162
        2000546 || ET SCAN NMAP -f -sX || arachnids,162
        2001950 || ET POLICY RAR File Outbound
        2001951 || ET POLICY RAR File Inbound
        2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com
        2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin
        2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound

     -> Removed from emerging-sid-msg.map.txt (13):
        2000536 || ET SCAN NMAP -sO || arachnids,162
        2000537 || ET SCAN NMAP -sS || arachnids,162
        2000538 || ET SCAN NMAP -sA (1) || arachnids,162
        2000540 || ET SCAN NMAP -sA (2) || arachnids,162
        2000543 || ET SCAN NMAP -f -sF || arachnids,162
        2000544 || ET SCAN NMAP -f -sN || arachnids,162
        2000545 || ET SCAN NMAP -f -sS || arachnids,162
        2000546 || ET SCAN NMAP -f -sX || arachnids,162
        2001950 || ET POLICY RAR File Outbound
        2001951 || ET POLICY RAR File Inbound
        2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com
        2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin
        2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound





More information about the Snort-sigs mailing list