[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Oct 18 18:00:08 EDT 2008


[***] Results from Oinkmaster started Sat Oct 18 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008654 - ET SCAN SQLix SQL Injection Vector Scan (emerging-scan.rules)
 2008655 - ET MALWARE Frequently Used Fake trojan downloader User Agent (emerging-malware.rules)
 2008656 - ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) (emerging-malware.rules)
 2008657 - ET MALWARE Suspicious User-Agent Detected (Compatible) (emerging-malware.rules)
 2008658 - ET MALWARE Suspicious User-Agent Detected (GetUrlSize) (emerging-malware.rules)
 2008659 - ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) (emerging-malware.rules)
 2008660 - ET TROJAN Torpig Infection Reporting (emerging-virus.rules)
 2008661 - ET TROJAN Zbot/Zeus HTTP POST (emerging-virus.rules)
 2008662 - ET TROJAN Generic PSW Agent server reply (emerging-virus.rules)
 2008663 - ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) (emerging-malware.rules)
 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules)
 2008665 - ET TROJAN Obfiscator.vc or Related Infection Checkin (emerging-virus.rules)
 2008666 - ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) (emerging-virus.rules)
 2008667 - ET TROJAN Backdoor.Win32.Agent.fvt Checkin (emerging-virus.rules)
 2008668 - ET WEB_SPECIFIC myEvent viewevent.php SQL Injection (emerging-web_sql_injection.rules)
 2008669 - ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection (emerging-web_sql_injection.rules)
 2008670 - ET WEB_SPECIFIC SweetCMS page SQL Injection (emerging-web_sql_injection.rules)
 2008671 - ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2008672 - ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection (emerging-web_sql_injection.rules)
 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules)
 2008674 - ET TROJAN Likely eCard Malware Laden Email Inbound (emerging-virus.rules)
 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules)
 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules)
 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2008549 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) (emerging-malware.rules)
 2008640 - ET SCAN SIP erase_registrations/add registrations attempt (emerging-voip.rules)
 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1330
        #  Generated 2008-10-18 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1330
        #  Generated 2008-10-18 00:03:02 EDT

     -> Added to emerging-exploit.rules (1):
        #by Veerendra at secpod

     -> Added to emerging-malware.rules (3):
        #by jeremy conway
        # ref: 6bbaadcf801e9026d27521ae3f093fe0
        # ref: 08e90268f52d942927c9f89fc9b796fb

     -> Added to emerging-sid-msg.map (24):
        2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project
        2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent
        2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010)
        2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible)
        2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize)
        2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3)
        2008660 || ET TROJAN Torpig Infection Reporting
        2008661 || ET TROJAN Zbot/Zeus HTTP POST
        2008662 || ET TROJAN Generic PSW Agent server reply
        2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221)
        2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config
        2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin
        2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl)
        2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin
        2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773
        2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771
        2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/
        2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550
        2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268
        2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699
        2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/
        2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start
        2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply
        2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply

     -> Added to emerging-sid-msg.map.txt (24):
        2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project
        2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent
        2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010)
        2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible)
        2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize)
        2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3)
        2008660 || ET TROJAN Torpig Infection Reporting
        2008661 || ET TROJAN Zbot/Zeus HTTP POST
        2008662 || ET TROJAN Generic PSW Agent server reply
        2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221)
        2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config
        2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin
        2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl)
        2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin
        2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773
        2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771
        2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/
        2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550
        2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268
        2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699
        2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/
        2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start
        2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply
        2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply

     -> Added to emerging-virus.rules (8):
        #re c6f326609487aaae451366728ec5cdd9
        #re 4bde1bc2f7b6d4e11b1a570aaa52df57
        # ref: c2a3a87735f8c5e11de82c52c94aefc7
        #by Veerendra at secpod
        #re 7a60eada62a331c793ba066e43bfc4f2
        # ref: 5742862edc6fddd3f51bf9d07c8d7aba
        #by Paul Dokas
        # ref: 940fc0b0d523be104a96b09871e42b1e

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1323
        #  Generated 2008-10-11 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1323
        #  Generated 2008-10-11 00:03:02 EDT

     -> Removed from emerging-sid-msg.map (12):
        2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (12):
        2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts





More information about the Snort-sigs mailing list